Re: [tor-talk] Iran cracks down on web dissident technology
1st, thanks for the refresher, Paul. I'll bet most users didn't know Tor was started by the NRL. Unfortunately, for many, that won't ease their minds much. I don't have the knowledge skills to check Tor's source code bet well 90% of users don't either. I know (knew) my comments on Tor being funded (or started) by any Fed organization would not be well received. Neither were the handful of people w/ inside knowledge after 9-11 attacks, shouting there was no justification in attacking Iraq. They were shouted down quickly labeled as unpatriotic. Even today, surveys show a significant percent of people still believe Iraq was responsible for 9-11 attacks. Don't confuse me w/ facts - I've already made up my mind. Again, WHY would Sam develop or fund technology that would make it possible for * their enemies * to communicate anonymously and privately, possibly allowing them to plot against him, with ABSOLUTELY no way to decipher that communication? It's a serious question. Please save the check the source code yourself comments. Open source code means literally nothing. Did it mean anything when Iraq cracked down on Tor users? Researchers often show that. What makes this project different than other govt funded projects? (This seems like the, It'll never happen here / to us mentality). It * IS * happening to us in pretty much every aspect of citizens' privacy. That's no secret. What makes Tor any different? If one govt can figure out how to identify Tor traffic, so can others. Above ALL else, govts NEVER reveal the full extent of their intelligence capability. That would be foolish. I've never known Sam to get involved in, or fund something - especially like this - * w/o wanting something in return.* Ever. WHETHER or not they make known, to anyone, what they want or intend to do. It's been shown for over 50 - 60 yrs (probably much longer) that even people in charge of entire govt projects (or govt funded ones), often don't know the *full* extent of what's being done w/ the research, technology, info, etc. If you want to ignore history, go ahead. On 3/20/2011 11:46 PM, Paul Syverson wrote: On Sun, Mar 20, 2011 at 10:04:45PM -0500, Edward Langenback wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Joe Btfsplk wrote: On 3/20/2011 5:08 PM, Eugen Leitl wrote: http://www.telegraph.co.uk/news/worldnews/middleeast/iran/8388484/Iran-cracks-down-on-web-dissident-technology.html Iran cracks down on web dissident technology... ... The value of ???internet freedom??? technologies to US foreign policy has not gone unnoticed in Washington: the Tor Project???s arms race with Iranian authorities is_funded in part by grants from both the Department of Defense and the State Department_. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk You've GOT to be kidding. Tell me that's a mistake. Tor Project, dedicated to privacy anonymity, takes $ from DoD Sam? While the US spies on it's citizens, unconstitutionally? That's rich. Honestly, this enlightenment will make me reconsider ever using Tor for anything I don't want sent directly to DC. It's like trusting car magazines' reviews that get their advertising $ from car manufacturers. There is no way the fed is going to give $ to any privacy organization w/o wanting something (cough, back door) in return. Every ISP has been forced into violating users' privacy. Why would Tor project, after taking $ from Sam, be any different? OK users, go ahead stick your head in the sand. EVEN if it's not true, for me, Tor project has lost a good deal of its credibility through its associations. Of course, no government would ever lie neither would a company (ATT, Ford, Google, R.J. Reynolds...). If I'm not mistaken, not only has TOR had at least some government / DOD funding from the start, the original project was started by the military. People seem to need a periodic refresher on this. I will just state the long public and published facts. Interpret them as you like. You can read more details at http://www.onion-router.net/History.html but here's a quick summary: I invented onion routing at NRL with David Goldschlag and Mike Reed in 1995-96 as a US Naval Research Laboratory project with initial funding from ONR. All of us were NRL employees at the time. Our first deployed system was in 1996 and source code for that system was distributed later that year. (Code was entirely US government work by US government employees, so not subject to copyright.) As part of a later NRL project, I created the version of onion routing that became known as Tor along with Roger Dingledine and Nick Mathewson starting in 2002. I have been an NRL employee throughout all this. Roger and Nick were contractors working on my project. NRL projects funded by ONR and DARPA were the only funding they had to work
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/21/2011 2:39 PM, Paul Syverson wrote: On Mon, Mar 21, 2011 at 02:06:04PM -0500, Joe Btfsplk wrote: Last comments for a while. (All I have time for, sorry.) I'm just going to respond to specific issues about system threats and the like. I appreciate your comments the work of all involved w/ Tor. I read the papers you linked, though I've seen most of the material in various places. I will not join in the speculation about what governments do or why. Perhaps you should, because at least one govt seems to be steering the boat. Therein lies the problem (not you, specifically). My comments MAINLY questions, weren't about typical or even very sophisticated adversaries. They concern WHY any govt would continue funding an anonymous communication project that in today's world, very real enemies can use against said govt, in a very real way, if the govt has no way to monitor it? One should ask, Why would they do that? It doesn't make sense unless there's more to the story. Also, in terms of adversaries against something like Tor, any advanced, well funded govt dwarfs the most sophisticated adversaries. Many govts have unimaginable technology resources as well as legal (or not so legal) authority to demand info (from ISPs, etc.) that no typical adversary would. The threat models, discussion of thwarting various attacks, safety in numbers, etc., are all based on assumptions like, 1) the adversaries don't have unlimited time, resources $. That assumption is out the window if an adversary is a large govt. 2) The adversary doesn't have access to (some) info going IN and OUT of a network like Tor. Not valid for a govt. They can get what they want from ISPs - and have. The info may be encrypted going in, but they can see you're accessing a Tor node. A large govt could ALSO monitor every single exit node ( may). There's NO comparison between people looking at open code, universities or organizations doing small studies on flaws in Tor, etc., and capabilities of a large, advanced govt. So please, I'm not talking about how many people or universities look at Tor. Advanced govts no doubt have incredible technology regarding breaking encryption. Not a typical adversary. Since Tor was developed BY a govt, and since many talk about one of its greatest values is to allow people in repressed societies to communicate freely, the adversary those users need to be most concerned about, is probably the one MOST likely to breach Tor's anonymity. I doubt most people think Tor's main purpose is to hide communication between two cheating spouses. A govt helped develop Tor for SPECIFIC reasons (we probably don't know all of them) still funds it. Then for users around the world counting on Tor for protection from their govts, the govts would have to be considered as one of the main adversaries to Tor. Either the US is really dumb for developing a system, perfect for enemies to use against them (kinda doubt that) or there's more to the story. I don't pretend to know the answers, but know when to ask questions. For all I know, the US wants the enemy to use Tor for plotting, thinking they're anonymous, when they're not. No one's answering my specific questions, possibly because if they knew them, they'd be in top level govt positions, sworn to secrecy. For those doubting any of this has any merit, are you still waiting for them to find WMDs in Iraq? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/21/2011 6:38 PM, Al MailingList wrote: That's a very good point klaus. Joe - if you think the US Government is one big cohesive entity that funds projects consistently from a single pool of resources and money then I would politely suggest you may not have had much to do with them :P Don't think that at all. Don't believe I said anything that even suggested. I'm speaking in general terms. My comments also regard more than one govt. In any govt project, there could be one or dozens of depts involved. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Iran cracks down on web dissident technology
On 3/22/2011 3:57 PM, Michael Reed wrote: BINGO, we have a winner! The original *QUESTION* posed that led to the invention of Onion Routing was, Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point? The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). ... The short answer to your question of Why would the government do this? is because it is in the best interests of some parts of the government to have this capability... -Michael ___ Very interesting, Michael. You were a part of it (or knew of it) it was because govt intelligence (you are aware many - not me - call that an oxy moron:)) wanted a system they could use for various purposes, where the source destination can't be determined by one of the mid points? That does make sense. BTW, I never said conspiracy - others did. Besides, many use the word or concept incorrectly. A govt developing technology to use in defending the country isn't a conspiracy. Covering up illegal activities, for instance, would be a conspiracy (like Watergate). If some govt has figured out how to decode Tor traffic (or use it to great advantage) to thwart terrorists, that's not conspiracy. I'm going out on a limb to say that US intelligence does not believe Tor gives terrorists a great advantage - for what ever reason(s), or else they'd shut it down, or at least stop funding it. But then, we other countries continue supplying arms to groups in various conflicts, which they often shoot back at us. That said, it may be an earlier poster's comment about lack of foresight may apply. It would seem that enemies *might* benefit from it as much as govts, unless govts are capable of more than many think they are. No one, except people w/ high level clearance (perhaps various countries) knows the full answer to that, and they're not talking. They thought the A-bomb was a good idea no other country would get the technology. Huh. I was on the fence on that one. It *may* be much like other ideas, such as the famous introduction of cats to an island, where they had no natural enemies. It almost destroyed the island's eco system. http://edition.cnn.com/2009/WORLD/asiapcf/01/12/eco.macquarieisland/ For what did you think might happen sorts of things that individuals govts do, I now reference them as Introducing Cats to an Island principles. Ideas that sound good at 1st, except for forgetting to ask (and seriously ponder) the most important question of all, What's the worst that can happen if we... Hey, let's build nuclear reactors on major fault lines all over the world. Yeah, that sounds good. Good night Mrs. Calabash, wherever you are. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Why the US Government funds circumvention projects (Like Tor)
clind...@garudallc.com wrote: Hi, I light of the recent discussions regarding governments funding projects like Tor, I thought this article might be of interest. U.S. develops panic button for democracy activists Full article: http://www.reuters.com/article/2011/03/25/us-rights-usa-technology-idUSTRE7206DH20110325 Now at http://www.reuters.com/article/idUSN2527265620110325 That's great. At the same time many govts allow mobile providers to track users, even by longitude / latitude. http://www.dslreports.com/shownews/NY-Times-Realizes-Wireless-Carriers-Track-You-113416 If mobile providers have the technology or are allowed to, so can govts. I sleep better at night just knowing (any) govt has its ( other countries') citizens' best interests at heart. (little sarcasm). A govt's word is as good as gold - they've never lied (from beginning of recorded history), have they? I am a little concerned though, about the US violating the constitution in numerous ways to spy on citizens in numerous ways. (remember the congressional hearings on telephone internet?) If you want to know what (any) govt's up to, have to go elsewhere dig deep for news insight, not depend on info from the govt(s), nightly news or newspapers. Don't ask the fox guarding the hen house how things are. Something is only a conspiracy theory when no facts, evidence (or sometimes even common sense about it) exist. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/2/2011 2:33 PM, katmagic wrote: Google requires you to be able to receive a text message or phone call to use a GMail account over Tor. This is unrelated to Torbutton's cookie handling (which was broken but has since been fixed). Personally, I got a friend on IRC to let me use his phone for it. 1st I've heard they REQUIRE a phone # to use Gmail over Tor. Anyone else aware this is the only way? I'd bet, from the Google message about unusual activity, it was because the exit node wasn't in the same country I used when created acct. Can you expand a little of Torbutton's cookie handling being fixed? Again, I'm using TB 1.3.2a. What are the criteria for TB to allow a site to set cookies? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/3/2011 1:06 AM, Mike Perry wrote: Thus spake Joe Btfsplk (joebtfs...@gmx.com): On 4/2/2011 2:33 PM, katmagic wrote: Google requires you to be able to receive a text message or phone call to use a GMail account over Tor. This is unrelated to Torbutton's cookie handling (which was broken but has since been fixed). Personally, I got a friend on IRC to let me use his phone for it. Since I don't retrieve email by phone (certainly not from Google), I'm not going to give them my cell / home #. I'm not aware that I have another option for the phone contact, available to me, personally. Actually, you can also fill out a form online, giving info about the acct that only the acct holder would likely know (though this form is several layers deep, to get to). In my experiment, after entering required info, their official statement is, it may take up to 24 hrs for them to investigate reply. Must also have previously set up an alternate email address, where they'll send an authorization link. In my 1st attempt at this, took about 10 min to get an email, which would then allow resetting PW. This whole process is WAY too cumbersome for frequent use - just a learning exercise for me. It might be easier to find another mail provider that works better w/ Tor. This is possible. The unusual activity message is unrelated to cookie issues, and appears to have something to do with the exit node chosen to connect to gmail. Yes, thus my question about where the StrictExitNodes commands would be input / stored (maybe for specific country) ? From diff options presented (aside from giving google a phone #), if one wanted to use Tor w/ Gmail, maybe specifying specific country exit nodes would be fastest way to get into a Gmail acct. Though won't know if that prevents the unusual activity msg from Gmail till try it. I'll try Tor w/ other email providers to see if works better. Others can do same post results. Otherwise, Torbutton's default cookie policy is to allow cookies to persist in memory until either the Torbutton is toggled, or the browser exits. We plan to eventually extend this functionality to provide a New Identity button in the browser, to synchronize the clearing of all Firefox identifiers with the New Identity functionality of Vidalia/Tor... I am assuming (please correct) that if Firefox's accept cookies from sites option is UN checked (cookies denied globally), then for Torbutton to allow a site to set cookies during Tor mode, there MUST already be an exception to allow that site to set cookies, stored in permissions.sqlite? Re: Matthew's comment: Why not let TorButton handle your cookies or allow cookies then securely delete cookies.sqlite afterwards? It appears I didn't have an exception to allow google.com to set cookies. I seldom login to Gmail. Then, only allow temp / session cookies. However (for others' info), about cookies.sqlite - appears only persistent cookies are stored in it. Session cookies are not. I believe session / temp cookies are stored in memory, unless that's changed in FX 4. IMHO, if users are worried about privacy in email, they probably should another provider than Gmail. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/5/2011 12:52 AM, grarpamp wrote: First I've heard that they require SMS to *USE* gmail. However, SMS has been required for quite some time now to *CREATE* a new gmail account. There was a thread a few months back regarding creation. And to date, I've not been able to create a new gmail account without SMS from any exit anywhere on the planet. Nor from any residential DHCP pool I have access to. I've had this Gmail acct since 2007 (that I tried w/ Tor the other day after OP's question). I've not tried to create any new ones lately via Tor, so you may be right. What if you don't have a phone # to give them (or don't want to) - they just don't let you create an acct? In the past, I could use Tor w/ Gmail - assumed they changed policies. It's pretty nervy ( savvy) of them to attach a phone # w/ email acct. Obviously, people are eating it up w/ a spoon. Their google st. view had a pic of my house w/ car in front - showing license plate. Had them remove my house. FYI - I tried GMX w/ Tor couple days ago - worked just fine. I'd bet, from the Google message about unusual activity, it was because the exit node wasn't in the same country I used when created Yeah, they like to pop up red warning banners for avid travelers. I just hit dismiss, no SMS junk required. What do you mean by I just hit dismiss? When I tried Gmail thru Tor from a PC, there was no way to dismiss the screen. The only way (I found) around giving a phone, was fill out their investigation form, w/ a 2nd email, info about your Gmail acct, then wait for reply. I didn't follow the link they sent, but assume it'd require resetting PW. Not a good solution to this prob. I've never had any problems sending any message anywhere, at all. Are you talking about using Tor Gmail - recently, w/o SMS or other #? clicked through the help links and filled out some form explaining my desire for strong pseudonymity, and they lifted the block without a cell #. Was this a permanent lift of ban while using Tor? As in, you never had to ask them again or had problems logging in w/ Tor? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/5/2011 4:54 PM, Praedor Tempus wrote: The problem with gmail appears to be tied to certain countries. I created a completely anonymous gmail account late last year (no SMS crap) via tor. I have found that most of the time I am able to connect to my account but there are times (wrong exit node/country?) when it refuses to let log in. I use tor button on mozilla, by the way. You must enable cookies and 3rd party cookies to be able to log in. The little I do use Gmail, I've never had 3rd party cookies ENABLED (login w/o Tor running) - no problems - even last week. If there's something diff about logging in w/ Tor that requires 3rd party cookies, I'd be surprised. Anything's possible, but I'd double check that. Google's already getting enough w/o requiring 3rd party cookies. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/5/2011 3:53 PM, Matthew wrote: Yes, thus my question about where the StrictExitNodes commands would be input / stored (maybe for specific country) ? Not sure if this was answered but you just put the entries in your torrc file. No, it wasn't answered - that I saw. Thanks. I know there's a lot on the Tor proj. site about editing torrc file. I thought it probably went there, but wasn't sure. I mentioned earlier in another reply, that might be easier to use another mail provider besides Gmail that works w/ Tor, w/o the hassle. IMHO, if one is concerned about privacy, the last mail provider on my list to use would be Gmail. Some others aren't much better, but google's straight forward about how they're going to scan your email (and everyone that replies to a Gmail email). If you have something you want to keep private, don't send it thru Gmail, for sure. Probably good advice, in general. Or use encryption. Some providers claim they don't ever scan mail - but I wouldn't stake my life on them keeping their word. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/5/2011 11:10 PM, grarpamp wrote: What if you don't have a phone # to give them (or don't want to) - they just don't let you create an acct? In my tests to date (limited by free time), yes, that's what I said. FYI - I tried GMX w/ Tor couple days ago - worked just fine. Yes, free alternates that work fine are always welcome suggestions :) I usually require https (creation and management), imaps (retrieval), smtps/submission (sending), no automatic addition of addresses to 'contact' lists when sent via web or smtp, and an outright account deletion function. There's a comparison of different webmail providers: http://en.wikipedia.org/wiki/Comparison_of_webmail_providers I'm sure there are others. Many have all the features you mention. When I started looking for alternatives, was quite surprised how many are avail besides big 3. I do use alternates. It's just that gmail... like yahoo and hotmail... has a certain credibility about it that the moronic public 'trusts'. ... That's why it would be useful to the anonymity/privacy community to figure this one out. Whether by testing, or perhaps even via formal contact with gmail, followed up with education and a plea for sanity if needed. The domain shown for my gmx acct is just gmx.com. I think even in full header, shows a US origin. I don't know if there's any stopping an 800 pound gorilla like Gmail / Google. My guess is Tor users are a tiny % of accts. Vast majority of most of internet users are clueless about dangers privacy invasion / data collection - not just w/ Gmail. Even w/ ongoing publicity of google's privacy violations (some they had to back down on), people still use it. That's not gonna change. I'm the world's worst must beat them (any entity) at their own game type person. But Tor users are usually more enlightened compared to gen. pop. Don't understand clinging to Gmail for dear life. Point taken about recipients being familiar w/ gmail, yahoo other familiar names. If more started using others - even on trial basis - they'd become more familiar names. I get a red one line warning bar near the top once in a while that says something like we noticed you coming from a strange place. set alert preference, or dismiss/ignore it. I also commonly get blue/red ones that say we don't have your recovery info: supply SMS -and/or- supply secondary email address both of which i hit dismiss/ignore on. None of these three nanny nag notices lock me out, require me to supply the requested info, require me to submit requests to let me live without suppling the info, or hinder my use in any way other than swatting down the nags once in a while. Looks like diff users get diff screens, at times, about the SMS verification and ability to bypass notices. I / others could try it diff times / ways, but just seems like (for Tor use) might be easier to use another provider. I'm tempted to try their form for new account creation (Mike's blurb). Yet I don't quite know how I would explain my request (refusal to supply). Even though it's none of their business (there aren't laws requiring them to gather very personal data), for a reason why I was asking to remove my house from street view, just stated I was law enforcement was worried about privacy / security of my family. I need to check if it's still removed. And creating another unlinked account elsewhere just for that takes time... and what happens if I deassociate it (in gmail) or delete it (on the provider) and miss or hit some sort of gmail reauthenticate wall months later. I'm not pushing any mail provider, but I found creating / deleting accts on GMX very quick. If using Tor w/ email is a goal, massive storage space w/ a provider probably isn't a concern. Neither is social networking features, etc. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/6/2011 7:27 PM, grarpamp wrote: Don't understand clinging to Gmail for dear life. They just happen to have some really good services and tie-ins that all rely on having a gmail/google account. I may just cough up $20 for a disposable phone to get that. If someday the services really become a real world value to me, sure, I'd get another phone or use my own, no problem :) ___ If I understand some Tor users' reasoning, they want to use Tor w/ email for various privacy reasons AND they want to use really good services tie-ins at the same time? Plus, some are concerned about having huge email storage while using Tor? Uh, not sure I understand that. I must be missing something. You do know anything stored on their servers isn't private? My questions here are sincere - trying to learn - why use Tor email (? on everyday basis ?) AND Gmail? Presumably, the email contents would only be hidden from ISPs - or perhaps prevented from being intercepted. The weakest link in chain is everything is exposed to Google. Maybe I'll learn something about privacy / security by meaningful input why Tor + Gmail are so important. No offense, but I don't consider really good services or storage, etc., priorities when using Tor (if I was going to use it w/ email). In some respects, if using Gmail, you may as well take out a front page ad on NY Times. So why the concern for certain features (vs basic email service) AND Tor compatibility? Why not use another provider w/ Tor, and a diff one (Gmail, if you insist) for everyday email? What are a few of the reasons for using Tor w/ email, where it's not just as easy to use another Tor friendly provider? IMHO, the brand recognition issue, especially when using Tor, doesn't make sense. If you want privacy, Gmail or anything remotely connected to Google isn't the place to be. Not an opinion - well documented over yrs. It's like saying, how can I stick my head in a lion's mouth w/o getting bitten? How about not sticking it in at all? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TB-1.3.2alpha don't work under FF 3.6.16
On 4/7/2011 6:21 AM, Orionjur Tor-admin wrote: TB-1.3.2alpha don't work under FF 3.6.16 from Ubuntu 10.10 distribution: I cannot save changing of settings (button OK don't pushable). TB-1.2.5 is workable with it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Did you go thru a complete uninstall process of TB 1.2.5 before installing 1.3.2? After uninstalling prev vers, try looking in about:config, removing references to torbutton. I had to do that once when changing versions. Make sure the old TB is gone from Firefox close FX before installing TB. I have found a couple of addons that seem to interfere w/ TB, or vice versa. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google disable web-access to gmail for Tor-users?
On 4/7/2011 1:54 PM, grarpamp wrote: The shortest answer is that strong pseudonyms are useful, even (or especially) in a well connected social environment. Many people want to have those links. Many want use some of the services google offers: https://www.google.com/intl/en/options/ Many want to participate in the scene... just not as themselves. Point taken. If I understand, the reason many want to use Tor w/ Gmail isn't for email - other services / options? Because if they are using it for email, it's not private on Gmail (or a lot of others) - other than your IP address, if can successfully login w/ Tor. I get trying to beat the system - as I often do, but I try to take the path of least resistance. Aren't most / all of the options, or even better ones (except ones dealing w/ gmail) available directly, instead of going thru Gmail? Is it just a matter of convenience of having many options / links in ONE place? Maybe some of those sites won't allow Tor either? I'm trying to see what I'm missing that can't be found anywhere except through google. If I wanted to blog *anonymously *, I wouldn't do it on Google. Maybe there are SOME just not available anywhere except Google / Gmail??? If I wanted to use google search, I'd use Scroogle SSL. If wanted to look at youtube, I'd go to youtube. If I suddenly lost most brain function wanted to organize my medical records online, google is the last place on God's green Earth I'd choose - via Tor or not. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] endless list of scrubbed circuits
Using vidalia bundle 0.2.10 / 0.2.30 w/ Torbutton 1.3.2a in Vista x64, Firefox 4.0 Loading the simplest web page (no busy sites, no d/l sites, etc.) is incredibly slow, usually times out. Much slower than I've ever seen it unless there was something wrong w/ internet conn in general. Seems like it started when upgraded (actually did clean install) of latest Vidalia bundle. Not a one time thing - have tried it on diff days at diff times - always slow. Software seems to be loading OK - Tor, vidalia, polipo are all running. Tor chk sites confirm using Tor exit node. There's an endless, constantly increasing list of scrubbed circuits - like below. It just keeps going thru them like a ticker tape. Apr 08 14:36:37.277 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit 'politkovskaja'. Retrying on a new circuit. NOTE: I CAN connect to some sites using Tor - so it IS working, it's just so slow, apparently because of all the scrubbed circuits, it's of no use for anything. Any ideas what's causing this behavior? I did uninstall / reinstall tor bundle. Have closed Tor browser, then restarted - no joy. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] endless list of scrubbed circuits
Edit: I uninstalled / reinstalled Vidalia bundle (once more). This time I del all files in (Vista) C:\users\user name\App Data\Roaming\Tor\ Now as soon as start Tor enable Tor button 1.3.2, pages load fairly quickly. I don't think it should be necessary to install / uninstall / reinstall 3 times to get it to work. I always shut all other prgms before installing. Though never have problems installing prgms w/ Kaspersky IS 2011 running (it notifies whether it trusts the prgm or not), I shut it down disconn. from web. After doing all the above, seems to finally work. Maybe this will help others. On 4/8/2011 2:46 PM, Joe Btfsplk wrote: Using vidalia bundle 0.2.10 / 0.2.30 w/ Torbutton 1.3.2a in Vista x64, Firefox 4.0 Loading the simplest web page (no busy sites, no d/l sites, etc.) is incredibly slow, usually times out. Much slower than I've ever seen it unless there was something wrong w/ internet conn in general. Seems like it started when upgraded (actually did clean install) of latest Vidalia bundle. Not a one time thing - have tried it on diff days at diff times - always slow. Software seems to be loading OK - Tor, vidalia, polipo are all running. Tor chk sites confirm using Tor exit node. There's an endless, constantly increasing list of scrubbed circuits - like below. It just keeps going thru them like a ticker tape. Apr 08 14:36:37.277 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit 'politkovskaja'. Retrying on a new circuit. NOTE: I CAN connect to some sites using Tor - so it IS working, it's just so slow, apparently because of all the scrubbed circuits, it's of no use for anything. Any ideas what's causing this behavior? I did uninstall / reinstall tor bundle. Have closed Tor browser, then restarted - no joy. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] endless list of scrubbed circuits
On 4/8/2011 5:35 PM, Mike Perry wrote: Thus spake Joe Btfsplk (joebtfs...@gmx.com): Using vidalia bundle 0.2.10 / 0.2.30 w/ Torbutton 1.3.2a in Vista x64, Firefox 4.0 There's an endless, constantly increasing list of scrubbed circuits - like below. It just keeps going thru them like a ticker tape. Apr 08 14:36:37.277 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit 'politkovskaja'. Retrying on a new circuit. NOTE: I CAN connect to some sites using Tor - so it IS working, it's just so slow, apparently because of all the scrubbed circuits, it's of no use for anything. Any ideas what's causing this behavior? I did uninstall / reinstall tor bundle. Have closed Tor browser, then restarted - no joy. One of the things that can cause this is a set of bad guards (the first hop in your Tor circuits). If you got unlucky and Tor picked only slow guards, this can cause you poor performance. You can check them out in the vidalia window by noting the first hop in your circuits. There should only be 3 different nodes chosen for that first hop. Note you should not post your guard list in public, as it can be used to identify you. If that is the issue, you can try using bridges to see if that helps, or you could try to stop tor and wipe away your tor state file, which will cause new guards to be chosen. Are you saying a bad guards can cause an ENDLESS, rapid stream of log entries: We tried for 15 seconds to connect to '[scrubbed]' using exit 'x'. Retrying on a new circuit? When it is doing this (it seems) the listed speed of the 3 nodes in the 1st hop are often listed as high. Listed speed may mean nothing. If it * does * mean anything, then that isn't the only problem in my case, because they often show higher speeds. But I digress. If we're talking about same thing, the entry guard - in Tor Network Map, 1st entry under connection column in L pane? When select that 1st connection, shows 3 nodes in R pane, w/ their IP address, bandwidth, etc. Early last evening, after reinstalling Vidalia bundle again, I was able to load pages * almost as fast as w/o Tor. * (yes, I'm sure Tor was working) I tried a # of pages - all worked well. Looked at the Vidalia log - didn't see constant stream scrubbed circuits. It was still quite early would've been lots of traffic. Regardless of what the 1st 3 nodes look like, it *seems * when I'm able to connect to a site - at all - the behavior of an endless stream of scrubbed circuits in the log is NOT happening. When it IS happening, connecting to any site (not high traffic ones, or very slow servers) either fails or takes well 1 min (usually more, IF at all). Usually, by then it times out. It's not the site's servers, because can stop Tor same sites load instantly. I've tried this on numerous sites, days times, that I know to usually be fast w/o Tor - or w/o it. If this was the typical state / function of Tor network, no one would be using it, so I know it can't be happening to everyone on a regular basis. This is now the norm rather than exception, for me. As it is, Tor is useless for me 90% of time (I mean it won't load pages - at ALL). Today, checked it again basically can't load pages at all - even though (at times) the 3 nodes in entry guard all show fairly high speeds, while still unable ot load pages. Again, at times, entry guard changes frequently. I stopped Tor, wiped the Tor state file (the lock file - what ever it can contain - is empty now). It did cause pages to load much faster - for now. If bad entry guards are the problem AND if happening to most users MOST of the time, like me, I'll need a clear Tor state file button addon. :-( By design, how often does the entry guard (and the 3 nodes in it) change / get refreshed - w/ no user intervention? I've noticed at times, mine seems to change quite often - sometimes every 30 - 60 sec or so. When I AM able to load pages normally (by Tor standards), I don't think the entry guard is constantly changing, but the log definitely does not show a constant stream of scrubbed entries. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] To Toggle, or not to Toggle: The End of Torbutton
On 4/21/2011 1:22 PM, Kraktus wrote: Well, if I had an 8-core machine with 4+GB RAM, or even a single-core machine with over 1 GHz and at least 1GB RAM, I'd probably have four browser profiles for Firefox alone: ... However, seeing has how my computer is single core, less than 1 GHz, and has less than 1GB RAM, running one instance of a modern browser is hard enough on the poor thing. Don't know if you were replying to the earlier post (that I wasn't sure if he wanted to install 2 versions of FX on his machine). Why would you want to run several instances of Firefox - SIMULTANEOUSLY? When I said it was easy to install multiple versions, or multiple instances of same version, didn't expect users would be running them at the same time. If you are short on RAM / CPU want different VERSIONS, of course have to install them in diff folders, set them to use diff profiles (if desired). But, other than needing to switch between running installations for a specific purpose, no need to have them running simultaneously. Run one when thru w/it, shut it down start the other. I believe you can also run simultaneous instances of same FX version (most likely using different specified profiles). Typically, one install will be the default. Others can be started using specific profiles by adding the profile name (or full path incl profile name) in the shortcut target box, after the path executable. Like after C:\..\firefox.exe -p myprofile4-21-11 -no-remote This assumes the profile name is already entered properly (or created) in Firefox's profile.ini file. You can create a new profile name using the profile manager. The firefox 4 [beta profile mgr] (not yet incl w/ the setup) has more options than one w/ FX v3.x. I've used it - had a couple minor issues, but over all, allows specifying which installed version will use which profile. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] To Toggle, or not to Toggle: The End of Torbutton
On 4/22/2011 6:32 AM, Kraktus wrote: If I had a nice high CPU high RAM machine, you mean? ...I'm actually using a similar browser that's close enough that it can still use Firefox 4 add-ons. Also, JonDoFox makes running multiple instances of my non-Firefox quite easy: there's a menu option for it. Anyway, that's not the problem. The problem is that if I actually try to do it, this poor machine basically grinds to a halt. Been there before w/ older machines, short on resources. However, situations like yours aren't limited to running multiple instances of any specific prgm - it prevents running several apps at once, not just multiple browsers. In your situation, only thing is to limit # of apps that auto start in background, if you need different browser configurations, run one instance at a time. Kind of a pain to close one browser / profile then start another. If you haven't already ( do so regularly), stop all unnecessary prgms from auto starting at boot up. These can eat up precious resources on older machines. An addon, Tab Mix Plus gives more options about saving sessions / open tabs, history, etc., than Firefox's native session restore. May make it a bit less hassle to close browser, use another profile, close it, go back to origninal. Most of the configurations you're concerned about (incl the addons installed) are stored in the profile. Except for those that have resources want to run multiple browser instances - at once - one installation of Firefox will suffice, creating different profiles (then either using Profile Mgr to chose which profile to use at startup, or adding commands which profile to use, after each separate start icon). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] no country flags in Vidalia 2.10
On 4/27/2011 1:41 PM, Joe Btfsplk wrote: ... Tor couldn't find a geoip file ... because it didn't CREATE the geoip file in the limited user's ...\roaming\tor folder. It DID create the geoip file in the admin acct... I'm using bundle 2.1.29 / 2.10 [and now 2.1.30 / 2.12] in Vista x64 Is this a bug in Tor installer? If I copy the geoip file from admin acct to user acct path, the country flags show just fine, running Tor in a user acct. On 4/27/2011 2:52 PM, Javier Bassi wrote: I also can't see country flags with Vidalia 0.2.12 in linux. The logs don't say anything about it. I use TorStatus if I need the flags for something. On 4/27/2011 9:34 PM, and...@torproject.org wrote: On Wed, Apr 27, 2011 at 04:52:26PM -0300, javierba...@gmail.com wrote 2.0K bytes in 51 lines about: : I also can't see country flags with Vidalia 0.2.12 in linux. The logs : don't say anything about it. Did you install tor-geoipdb package? My question on Tor installer no adding the geoip file to user acct didn't get answered (yet) - but Andrew's reply to Javier's issue in linux brings up another question - when using Windows (Vista). Is there tor-geoip... package that can be downloaded / installed in windows (or should be, for certain purposes, like...?) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] accessing Gmail via Tor revisited
A week or 2 ago, several had quite a discussion on accessing gmail accts (I could not - at the time), creating new accts, verification requests, etc. I believe Erin said (she ?) could login successfully by limiting exit nodes to same country as used when acct was created. I can confirm that worked for me - at least a couple of times, so far. Once I set the ExitNodes {cc} (where cc is your country code) used the StrictExitNodes 1 commands in torrc file, I could login to an existing gmail acct. Of course, aside from keeping a local ISP from intercepting ? something from goggle acct packets (or hackers intercepting in transit), there's no secrecy in accessing any acct w/ Tor (ESPECIALLY involved w/ google), unless it was CREATED via Tor. Unless one managed to completely hide their true IP address / country, etc. when creating the acct. So, logging in isn't the true privacy issue - creating an acct - via Tor - W/O providing a cell / phone # is the issue. I never read any definitive conclusions in the discussion whether new Google, Gmail, YouTube acct could be created (in U.S.) w/o SMS authentication. If you don't have a cell phone, or don't want to give them your cell / landline # (who wouldn't want to???), I never read a consensus of if how it could be done. It seemed diff people got diff screens / menus when they were going thru the whole process. Some said they just by passed the authentication request screen. Others (like me) weren't given an option to bypass such screens, if trying to create a new acct (w/ or w/o Tor). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TB for Win
On 5/3/2011 1:20 AM, Jerzy Łogiewa wrote: this i agree. what about a default tor skin like chrome 'incognito' has ?? -- Jerzy Łogiewa -- jerz...@interia.eu On Apr 12, 2011, at 3:38 PM, Erinn Clark wrote: I'm more worried that users will have two Firefoxes open, and accidentally use the wrong one because they can't distinguish between the two. It's hard to anticipate which things would go wrong. - Zapytaj wrozke! Sprawdz http://linkint.pl/f29a2 Don't know if it violates any Mozilla license terms, but the Firefox 4.x button (upper L corner) has room to add letters / words. Could be anything like Firefox-Tor or Tor-Firefox, etc. Color of button could be changed (possible now using addons or chrome files). Also, color / text of startup icons could be different (desktop, quick launch). Whatever is decided by Tor project, if users decide to modify the TB UI further, then mixing up Tor non Tor browsers would be their fault. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Logging in to Yahoo e-mail accounts now failing???
On 5/20/2011 6:45 AM, Curious Kid wrote: From: grarpampgrarp...@gmail.com To: tor-talk@lists.torproject.org Sent: Fri, May 20, 2011 10:17:02 AM Subject: Re: [tor-talk] Logging in to Yahoo e-mail accounts now failing??? If yahoo is actually rejecting log-in attempts based on perceived geographical information, what do they think that they are achieving? I can speak for no one else... however I think that any provider of online services that does this is foolish. Do we think they are actually doing this? I've used my Yahoo account all over the world. The timing of this is suspect. They are now rolling out Yahoo! Mail Beta. To use it requires accepting their new terms of service and privacy policy. From http://info.yahoo.com/privacy/us/yahoo/details.html When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. There's no such thing as a free lunch. FYI - for the all - trusting users of free email providers, don't give your real information. There's no upside lots of potential very bad down side. As far as the relatively new practice of Goggle ? others ? asking for a cell # in some cases to verify your identity, any data they ask for as backup security measures (like security questions), or a phone # is stored in a data base. Other than them getting a phone # for marketing purposes, having additional security questions would probably provide sufficient security if they suspect suspicious behavior before one actually logs in. If someone actually gains access to your acct, then a provider having a phone # is irrelevant (unless they show it in your acct). If the phone # is shown in acct settings (don't know - never gave them one), hackers gaining access now have that. If hackers get in your acct, security is out the window. If they're trying, but being asked for backup ID info, many types of info would provide sufficient security. Their argument is probably, the user has to physically possess the (cell) phone to receive security related correspondence from the provider. Maybe, but I imagine the real reason is to get around the telemarketing no call laws. Once you have an established business relationship w/ a company (by signing up for their service giving an address, valid phone #), technically they are exempt from no - call telemarketing laws. Security questions provide no marketing advantages for them. Note: I never give normal answers to security questions. Oldest sibling's name might be krankcace, etc. If you put lady gaga as favorite singer, you might deserve to have an acct hacked.:) Google, Yahoo, etc., apparently believe it necessary to employ much greater security techniques than banks, Fidelity, Vanguard, etc. For some financial products and services we might also ask for your address, Social Security number, and information about your assets. If users give Yahoo, Google (or services marketing through them) an SSN, good luck. There's probably no end to amount of junk mail you'll receive based on your credit scores. Yahoo! displays targeted advertisements based on personal information. ... Yahoo! provides personally relevant product features, content, advertising, spam and malware detection by analyzing your email. Some of these features and advertising will be based on our understanding of the content and meaning of your emails. For instance, we analyze email messages to identify key elements of meaning and then categorize this information for immediate and * future * use. Don't write anything in email that you wouldn't want the world to know, unless 1st compose it outside of their websites then encrypting the file, before sending by email. By using the Services, you consent to allow Yahoo!’s automated systems to scan and analyze all incoming and outgoing communications content sent and received from your account... If you consent to this ATOS and communicate with non-Yahoo! users using the Services, you are responsible for notifying those users about this feature. Companies w/ these types of policies scan your friends' correspondence with you, as well as yours. Don't write anything in normal email that you wouldn't want the world to know. Why this practice is deemed legal in some countries, don't know. By contrast, persons have been prosecuted for hacking into their spouse's email. A lot of people correspond w/ doctors, lawyers by email. Do you really want that type of info being analyzed ( info stored for future use)? There should be some expectation of privacy for email, but there isn't. Unless you want to catch a cheating spouse - then you might be prosecuted. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] problem with facebook account
On 5/29/2011 5:38 PM, Zaher F. wrote: can somebody help me about blocking accounts on facebook when i am using tor??? i guess that should be a code country i can retrieve my account without using phone number am i right or what??? I don't have a facebook acct, so not positive. Often, pages won't let you log into acct if your Tor exit node is coming from a diff country than one you signed up with. Some have success by using the ExitNodes command in Vidalia torrc file using the same country code as when acct was created. If want to be sure it only uses exit node from the country specified, use the StrictExitNodes 1 command after the ExitNodes. See the manual link on Tor projects documentation page. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] problem with facebook account
On 5/29/2011 11:47 PM, David Carlson wrote: The manual is not really clear about what a country code is or where to find yours. I searched the internet for Country Codes and found a list somewhere, but I do not recall right now where that list was. In any case, the strict exit nodes solution solved a similar problem for me. David The manuals' are fairly sparse in many areas. No offense to the writer(s) - but much seems to be written for users completely familiar w/ usage configuration - a very common issue. Could be shortage of developers' / knowledgeable volunteers' time. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] password...
On 5/30/2011 10:21 AM, kamyar fils wrote: So i can't choose which country? On Mon, May 30, 2011 at 4:57 PM, kuhkatz kuhk...@googlemail.com mailto:kuhk...@googlemail.com wrote: click new identity in vidalia. or wait 10 minutes and tor will automagically create a new circuit. both will not kill existing connections. Yes, as stated before, you can edit the torrc file in you user's profile, Vidalia folder, to use only countries specified by you, using the ExitNodes {cc} command, where {cc} is the country code you want. To make sure it uses exit nodes in that country, use the StrictExitNodes 1 command in torrc file after the ExitNodes command. You should back up the original torrc file before making changes. https://www.torproject.org/docs/tor-manual.html.en - help w/ torrc commands. Search the web or go to http://torstatus.blutmagie.de/index.php to get list of country codes. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Police was here - whats next?
On 5/30/2011 2:46 PM, Clemens Eisserer wrote: Hi, Today police was here and took all my cohabitant's computer hardware software with them, while I was alone at home. Until a few minutes ago I didn't even know what happend, now he told me he is accused of loggin into a porn site. I ran a tor exit node at that time, and I am confident somebody mis-used our tor exit node, as our WLAN is WPA2 encrypted. Are there lists or logs available, which exit nodes were running on which IPs? I am interested in a small period in March 2010. Thank you in advance, Clemens ___ Are you saying the police were able to trace your room mate's alleged activity WHILE using Tor, and / or logs from the relay will help them confirm this are you worried that police will be able to * retrieve logs * from your relay activity? That the room mate's alleged activity has nothing to do w/ running the relay (he / she wasn't using Tor)? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
I'm not a guru in this dept - only what I've read. Reason usually given not to use Tor for Banking is because the Tor exit node has to send unencrypted data to your target site (like bank PWs). Unless your communication w/ that site was somehow encrypted ( a login PW wouldn't be). A malicious exit node operator could sniff the packets coming thru the relay. Just visiting a site where you're not required to enter private data doesn't allow a malicious exit node operator (or anyone else) to capture private data. In the case of banking, instead of just making a direct connection between you the bank https (using SSL / TLS), using Tor is introducing an unknown 3rd party. That's basically why. Same thing w/ unencrypted email. An exit node could intercept it (though by far, most don't), but if it's really confidential info, don't send unencrypted email thru Tor. If it's that confidential, you might out to encrypt email anyway. There are services (like Hush Mail) - for max privacy, I'd opt to install their software vs doing everything on their servers. Also a Firefox addon, Enigmail that allows using open PGP (GNU PG) encryption in a client like Thunderbird. Haven't used it, but been thinking of checking it out. On 6/11/2011 4:00 AM, Fernan Bolando wrote: Hi all I have seen posts on various websites giving a general rules on when and when not to use tor. I have seen, however any official documentation on from torproject or any of the privacy website like eff. Does such a documentation exists? can somebody point me to it. examples dont use tor in banking or financial transactions dont use tor in non encrypted email regards fernan ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
On 6/12/2011 1:22 AM, Seth David Schoen wrote: Your communication with an online banking site usually _would_ be encrypted with HTTPS, which would encrypt your login password. For instance, if you were banking with Bank of America, you would normally start your login process at https://www.bankofamerica.com/ You are correct Seth. I misspoke when I said login info on an encrypted site would not be encrypted - it would be. I'm not sure of the answers to questions I'm posing - but they are good questions. Note, there are significant differences of the cipher strength of encryption used on different HTTPS site - even financial institutions. How hard would it be for a exit node operator to crack your (captured) encrypted PW? Depends. If a Tor exit node can capture a packet (and they can), what prevents them from using sophisticated software, available to any 14 yr old, to try crack the encryption? They do know the packet was headed to SomeBank.com. If Fernan's goal is anonymous online banking, I guess he'll need to use some proxy. What does anonymous banking mean - not wanting your ISP to know which bank sites you use (even if they can't see encrypted data)? Once logged in, the bank pretty much knows it's you. Just a thought - what if one logged directly into their bank's encrypted site - using no proxy their site was hacked (their site, not your computer). Or something goes wrong using a 3rd party of any kind to log into bank's site, and you tell them / they find out, I was using Tor (or other) to login the 3rd party intercepted my info. In which case is the bank likely to be more sympathetic? I don't know that using Tor or other proxies enhance security of logging into secure sites at all. AFAIK, Tor is intended to increase anonymity, not security. There are regularly many, many new posts articles about ongoing experiments on capturing evaluating Tor traffic (and I'm sure other proxies). What was impossible yesterday is often common tomorrow. But if you're using webmail, you could use HTTPS to connect to the webmail operator over Tor, thereby protecting your e-mail from the exit node operator. HTTPS would protect it from an exit node, but not from from the email provider or from gov'ts of most technologically developed countries. If you want to be sure others besides the recipient aren't reading your email, use encryption. Even then, unless you're sure what the recipient will do w/ it, or their level of computer security, don't send anything in email you might not want others to read. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Maintaining your privacy sending e-mails
On 7/7/2011 1:04 AM, jsz wrote: How do you manage to send e-mails? I'd like to send e-mails in an anonymous way but most of the webmails make it very difficult Try to use an anonymous e-mail account and connect to that account via TOR. E-mails shoud be encrypted locally (with GnuPG) so that servers do not see the unencrypted text. Mail shoul be stored locally on a Truecrypt volume. Jacek Szymona I'm just throwing this out there - haven't used / investigated it. Thunderbird (5, maybe 3?) has a selection under Options to Encrypt this message. Have NOT read what type encryption or effectiveness. A very brief search a few wks ago turned up nothing. In compose window, when click the use encryption, if you haven't set it up, will get a popup, You need to set up one or more personal certificates before you can use this security feature. Would you like to do so now? That's as far as I got investigating it. Enigmail addon for Thunderbird is fairly popular uses GnuPG for encryption. I've been thinking of trying it myself. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-0.2.2.30rc, torrc, ExitNodes, EntryNodes parameters.Not Recognized.
On 7/12/2011 1:24 PM, Luis Maceira wrote: I define some entry nodes or exit nodes in torrc and tor-0.2.2.30rc ignores them completely.Is this a new feature of 0.2.2.x series of releases? ___ Are you using Vidalia bundle or browser bundle? Did you edit it while Tor was running? Did you close all Tor, Vidalia, browser processes, then restart after editing torrc? And made sure the changes were saved? (I've failed to save changes made in files - or something went wrong) Did you use the StictExitNodes 1...command after defining the exit nodes? https://www.torproject.org/docs/tor-manual.html.en ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] spam??/socks4a for mac
On 7/19/2011 12:00 AM, M wrote: Hey guys.. i have sent several messages to the list. but i hardly receive any response! I was wondering maybe it was landing in people's spambox. If you receive this message, can you just add a note so i know that my messages are going through? Also a question.. does anyone know any mac software which can route programs through socks4a? i searched quite a bit on the net but could not find any. thanks alot in advance! I got it. I did have problems for a bit w/ Tor-talk mail getting filtered by GMX, but once added the address to my contacts list, no problems. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] No BetterPrivacy for Tor?
On 8/2/2011 6:54 AM, M Robinson wrote: Hello, I updated Tor and was adding few addons, out of habit I went to the BetterPrivacy add-on page and got this message This add-on has been removed by its author so tried again We're sorry, but we can't find what you're looking for. The page or file you requested wasn't found on our site. It's possible that you clicked a link that's out of date, or typed in the address incorrectly. So, is this a Tor thing or is Mozilla selectively blocking add-ons by country of origin? If I don't use Tor this add-on is available. When you say, out of habit I went to the BetterPrivacy add-on page..., did you mean the AMO site, or developer's home page, http://netticat.ath.cx Well, as I read your post I saw there was an update for BetterPrivacy avail. Curious, I looked at the AMO site - I didn't get any msg nor found the Better Privacy addon. So, found these couple of non definitive blurbs on developer's forum: For safety and update-reliability it is always recommended to install any software directly from the developer sites. Especially on AMO this is no longer granted since the site started to modify the original add-on compatibility information based on automatic scans - though they admitted that those scans might be unreliable when it comes to GUI http://blog.mozilla.com/addons/2011/04/19/add-on-compatibility-rapid-releases/. Therefore I'm even considering to completely remove my add-ons from there. Also, a user posted question like yours on developer's forum today - but no response yet: http://netticat.ath.cx/forum/viewtopic.php?id=485 Today 20:33:01 http://netticat.ath.cx/forum/viewtopic.php?pid=1720#p1720 * Guest Thank you for BP 1.66, which I downloaded directly from 'your' site, after experiencing the freezing issues with 1.65. (I also have TACO installed.) I am concerned, however, that the Mozilla Add On site has the following note for this add-on: This add-on has been removed by its author. Should I be uninstalling it? Please advise. Thank you. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Reason Firefox version in TBB is so far behind?
Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor fixes must be developed for Tor to deal w/ that? I can understand that, but many of the changes in FF versions are security patches. How does not using the FF version w/ latest security patches affect Tor users' security? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 8/2/2011 7:41 PM, Joe Btfsplk wrote: On 8/2/2011 7:10 PM, Andrew Lewman wrote: On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote: Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor fixes must be developed for Tor to deal w/ that? It's the latest udpated Firefox 3.6 branch. FF4 branch has been killed and replaced with 5. We have FF5 testing bundles. See https://blog.torproject.org/blog/new-tor-browser-bundles-3. Thanks. I realize the latest stable TBB has FF 3.6. Is the reason for delay in updating to latest FF version always for testing - to see if Tor works properly? Firefox versions used in stable TBB have always run behind the latest FF release - sometimes several versions. This may well be unavoidable for TBB developers. My original question - how does this affect the security of TBB users? ___ No comments on security implications of using a Firefox version in TBB, that isn't up to date with security fixes (sometimes not even close)? I'm grateful for the work done to create TBB, but the mantra of security experts has always been, ALWAYS keep your browser / OS updated w/ security patches. As said, it may be unavoidable (currently) for TBB developers to integrate new FF versions quickly, but surely I'm not the 1st to wonder about security issues of using old browser versions. The testing bundles Andrew mentioned are fine for, well... testing, but not for general users. It's a long way many fixes, from Firefox 3.6 to 5.0 / 5.0.1. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
On 8/5/2011 4:42 PM, Martin Fick wrote: --- On Fri, 8/5/11, berta...@ptitcanardnoir.orgberta...@ptitcanardnoir.org wrote: http://www.technologyreview.com/communications/38207/?p1=A1 It's worth reading the paper: I think that simply getting high profile sites to run to r nodes would be more likely and less invasive to the internet as a whole. If google were to simply run a bunch of bridges, or even known tor entry nodes, that would likely be more reliable and be less pie in the sky. If you compare the advocacy it would take to get enough ISPs to implement this scheme versus the advocacy to get a few high profile (can't live without them) sites to run tor nodes, I suspect the latter would be much easier. -Martin You lost me at If google were to... Google privacy is the definition of an oxymoron. They're way down the list of organizations many users would want having any role in some anonymity endeavor. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
On 8/6/2011 10:56 AM, Jimmy Richardson wrote: This won't work well seeing Google is already kicked out of China. Exactly. You lost me at If google were to... Google privacy is the definition of an oxymoron. They're way down the list of organizations many users would want having any role in some anonymity endeavor. This is not about privacy, it's about anti-censorship, and Google is a good resource in terms of anti-censorship. How so - other than not wanting their corporation to be censored? Do they have a record of refusing to give data to gov'ts? Privacy, anonymity anti-censorship seem interrelated. Anonymity implies privacy. Google is in business to make money, not promote anti-censorship or free speech. Censoring them cuts into their earnings, so yes, they are against censorship - * involving their corporation. * IMO, if I lived in a country where my life or possible imprisonment depended on internet anonymity / security, I wouldn't trust Google to keep me safe. I'm quite sure other entities eventually could provide some service / method to access banned sites, w/o $ being the main objective. Forget Telex or Tor for the moment. Eventually, individuals or groups have always found an underground way around censorship (if they wanted to) during wars, etc., sans the internet. The answer to avoid censorship may not involve the internet at all. Ultimately, passing or accessing censored or what gov'ts consider subversive info * through any ISP,* that keeps records is legally bound to cooperate w/ govt's doesn't seem like the best idea. I wouldn't go to the NSA's office to have a secret phone conversation. Just my opinion. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 8/9/2011 4:55 AM, Robert Ransom wrote: That is why we ship the latest version of Firefox on the 3.6 branch in our stable TBBs. Mozilla is still releasing security updates on the Firefox 3.6 branch. As you can see from https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 3.6.19 and Firefox 5.0.1 were released on the same day. That is because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no longer safe to use, even though their version numbers are greater than 3.6.19.) On 2011-08-05, Joe Btfsplkjoebtfs...@gmx.com wrote: As said, it may be unavoidable (currently) for TBB developers to integrate new FF versions quickly, but surely I'm not the 1st to wonder about security issues of using old browser versions. The testing bundles Andrew mentioned are fine for, well... testing, but not for general users. It's a long way many fixes, from Firefox 3.6 to 5.0 / 5.0.1. There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19 -- notably, Mozilla finally applied our patch to fix Firefox's hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1 no longer require an HTTP proxy such as Polipo between the browser and Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x is that Firefox 5.0.x contains many new features. And those features introduced a crapload of bugs which have security implications for Tor users -- mainly WebGL security bugs, but there were a few nasty surprises in the new JavaScript interpreter (see https://trac.torproject.org/projects/tor/ticket/2819 , https://trac.torproject.org/projects/tor/ticket/2873 , and https://trac.torproject.org/projects/tor/ticket/2874 ). There were plenty of other changes to audit as well; look through Tor's bug tracker if you're interested. Robert Ransom Thanks for the detailed explanation links to the trac tickets. It sounds like what I suspected - new versions create new security issues for Tor, which take time to deal with. Unfortunate, but... Re: Firefox 5.0 - unsafe: I was under impression the 5.0.1 update was for Mac (possibly Linux) - yes? I don't get any avail updates, when checking manually from my Windows FF 5.0 installation. I read somewhere * Windows * users don't need the 5.0.1 update (though 5.0.1 is what they get if d/l the entire package vs updating)?? Have another question then about 2 instances of Tor - which I'll ask in another post. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird, GMail and Tor - is it safe?
On 8/9/2011 10:03 AM, Phillip wrote: Hi, My question is about the safety of using Thunderbird to send e-mail through Tor. A little background: I run a moderate capacity (~500-600 kb/s) Tor relay. I've configured my Thunderbird client to use the Tor network, as well as to not leak DNS resolves, and I've verified through test e-mails that they are being sent to the GMail server through a Tor exit node. My accounts are configured to use SSL/TLS for both IMAP and SMTP. I understand that once e-mail leaves the GMail servers, it's about as secure as sending an open post card. My question is whether the SSL/TLS connections between my e-mail client and the GMail server are being made through the Tor network, and whether using Tor in such a way exposes my otherwise unencrypted e-mail to a greater risk of being skimmed by, say, a potentially hostile Tor exit node? My goal is simply to anonymise my IP, which gets leaked gratuitously by Thunderbird, and to ensure that the e-mail gets to the GMail server as securely as if I was using the https web mail. Thanks in advance for any assistance! Cheers, Phillip As I understand it, just sending unencrypted mail to an email provider thru Tor, only masks your true IP address. This assumes you've set up an acct w/ provider, WHILE USING TOR. Once it hits (Gmail many others') servers, they're going to scan unencrypted mail, as well as mail sent to you. If your received mail is unencrypted, providers will scan that. You can use HTTPS connection Tor to Gmail, which will hide your IP, provide protection * between you Gmail,* but if unencrypted, won't keep them from scanning it. Yes, I believe an exit node could scan unencrypted mail. I'm not sure about when you use SSL between you final destination. Others can chime in (please correct any mistakes here). Generally, it's not suggested to send sensitive, unencrypted info thru Tor when using plain HTTP connection w/ a site. One solution for you might be to use the popular Enigmail Tbird addon (from AMO's site) to encrypt mail. You can read up on it at AMO Enigmail's home page - what's involved for you recipients of your mail. It's not that difficult. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
On 8/8/2011 9:34 PM, Jimmy Richardson wrote: On 8/9/2011 5:44 AM, Joe Btfsplk wrote: Jimmy, though you have some valid points, I think you missed my point entirely (possibly some other posters'). Actually I do see your point, as I have said, we have different assumptions regarding how censor would react to anti-censorship activities, let's just agree to disagree here. But even under your assumption, I don't see the reason to bash Google here. True, Google could sell you out to governments, but so could any company (for example your ISP). The difference between Google and your average company is: a. Google actually made a stand against censorship, and suffered the retaliation; b. Google is providing computation resources for free. If you want privacy/anonymity, you just need to code encryption routines for the proxy you run on Google's AppEngine, it's no different from the suggestion to run Tor over Telex. And for the free service they provided against censorship, we should be thanking Google (and Telex if it gets built). As far as I can see, Tor is already losing against the censors, I think Tor should welcome some help in fighting against them. I think we're beating a dead horse maybe talking about 2 diff things. I'm not bashing Google - just stating instances of their record. Yes, they provide lots of free services - including email. But before one sends unencrypted email to Gmail quite a few other free providers ( also persons replying to email sent thru the scanning providers), it'd better be info they don't mind * possibly * the entire world knowing. I just don't think Google is a good choice to count on to protect your identity ( stake your freedom on, * if living in a highly repressed nation *), even if they do offer valuable services for free. I hope other entities will step up to offer the kinds of services you mention, for users in repressed nations - if none exist. Google's some other providers' privacy policies are quite dismal from a privacy standpoint. In the US some other nations, for now, loosing your freedom isn't an issue - unless breaking some laws. I was speaking about very repressed nations, where people can be jailed simply on suspicion. In THAT kind of society, I wouldn't trust Google (OR a lot of others), if offering services you refer to. In the US other free democracies, invasion of privacy failure to protect identity are probably the only drawbacks to using Google - other provider w/ similar privacy policies - for services you mention - unless violating laws. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
On 8/9/2011 3:18 AM, Zaher F. wrote: after reading all ur conversation... for me i didnt understand a very important thing : how come a software or tools as Telex and is not anonymity?? because the most of blocked sites by the governments are restricted also and censored... so i dont think a software like Telex can work against these governments cause no body is ready to loose his freedom thx Zaher, the purpose of Tor ( Telex's model) IS primarily anonymity. And in opinion of many, anonymity implies privacy. One issue is Tor or any other anonymity software isn't 100% foolproof. Yes, many sites are censored by nations. The purpose of software like Tor presumably Telex are to keep ISPs (thus gov'ts) from knowing which sites your visiting. The draw back to that, is some nations have banned accessing Tor nodes. Whether Telex get off the ground or not, as I mentioned earlier, their concept is (* as I understand *), a censoring nation / ISP would think users were accessing acceptable sites (vs accessing a Tor node), Telex would divert users traffic from the destination (that the ISP sees / logs), after it leaves the ISP to users' real destinations. The ISP has no idea the traffic was diverted by Telex, or that Telex was involved at all - as I understand. Thus, making ISPs ( gov'ts) THINK users' are going to acceptable sites. This is diff than ISPs logging that users are connecting to Tor nodes (if they can), which some nations see as trying to circumvent their censorship. Whether ISPs would eventually be able to detect traffic is using Telex software is another matter. I'm not any sort of expert on Telex or Tor. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird, GMail and Tor - is it safe?
On 8/9/2011 11:49 AM, cmeclax-sazri wrote: On Tuesday 09 August 2011 11:03:55 Phillip wrote: My question is whether the SSL/TLS connections between my e-mail client and the GMail server are being made through the Tor network, and whether using Tor in such a way exposes my otherwise unencrypted e-mail to a greater risk of being skimmed by, say, a potentially hostile Tor exit node? My goal is simply to anonymise my IP, which gets leaked gratuitously by Thunderbird, and to ensure that the e-mail gets to the GMail server as securely as if I was using the https web mail. As far as I can tell from the headers, it is working. When you send email through the web interface, your IP does not appear in the headers. Your message contains this header: Received: from [0.0.0.0] (spftor3.privacyfoundation.ch [62.220.135.129]) by mx.google.com with ESMTPS id r5sm7674eef.36.2011.08.09.08.04.01 (version=SSLv3 cipher=AES128-SHA); Tue, 09 Aug 2011 08:04:03 -0700 (PDT) which shows that your mail was sent through encrypted SMTP from a Tor node. I have a Gmail account that I created through the web using Tor; it was immediately flagged as suspect as soon as I finished. How do you use Thunderbird with Gmail? You will have to either create an acct while using Tor, or when using Tor to access an existing acct (not sure of the value in that - if the acct wasn't created using Tor), or almost certainly have to use an exit node in the same country that you created the gmail acct from (by editing your torrc file to use country specific exit nodes). Gmail doesn't like it when you try to access an acct from an address in another country than the one they saw / recorded when the acct was created. I think they believe it may be a hacking attempt. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
On 8/10/2011 5:21 AM, Achter Lieber wrote: - Original Message - From: Zaher F. Sent: 08/09/11 03:18 PM To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor. after reading all ur conversation... for me i didnt understand a very important thing : how come a software or tools as Telex and is not anonymity?? because the most of blocked sites by the governments are restricted also and censored... so i dont think a software like Telex can work against these governments cause no body is ready to loose his freedom ** couldn't resist - sorry cause no body is ready to loose his freedom... we're already losing our freedoms tor is about running and hiding ** thx Date: Tue, 9 Aug 2011 10:34:34 +0800 From: jmmrchr...@gmail.com mailto:jmmrchr...@gmail.com To: tor-talk@lists.torproject.org mailto:tor-talk@lists.torproject.org Subject: Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor. Achter, this isn't a reply to the topic, but an FYI on how your posts show up (on my screen in Tbird). Your reply (that I enlarged text enclosed between astrisks **, just shows up as part of the original quoted text. IOW, it's not distinguished from any previous post at all, so doesn't appear to be a NEW post or reply. * Don't know how it appears to others. * I'm assuming if you wanted to insert comments at specific point, in the middle of previous post(s), you hit enter to start new text that isn't part of previous quoted replies? Your post / reply is 1st I've seen this on - not sure why. Since I don't know which email client you have (or using some webmail), can't give specific suggestions. Usually w/ Tbird, if you place cursor in quoted text, where want to insert reply ( have it show up distinctly from earlier posts), hit enter - it breaks the earlier quoted post makes new text entered very distinct from quoted text. This is just FYI - if have any questions, please ask. Maybe I or others can make suggestions. Another FYI - a Tbird addon I use to help reading msgs w/ multiple quotes is QUOTE COLORS. https://addons.mozilla.org/en-US/thunderbird/addon/quote-colors/ It makes it much easier to keep up w/ what text went w/ which author. I'm sure other email clients * may * have similar addons. Cheers. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Any problem installing TBB Vidalia bundle on same machine?
My question involves 2 scenarios. 1. Installing both TBB Vidalia bundle, so other apps could be torrified if need to close Tor browser. 2. Install run TBB Vidalia bundle simultaneously, so if close TBB, don't have to wait for Vidalia startup to torrify other apps. Not sure which of these would be more common, at present. Tor Project is moving away from Torbutton, which is fine - urging use of TBB. Sometimes I may not want Firefox in TBB open, or may need to close it, which closes Tor. But, may either already have other apps running, using Tor, or want to start them quickly. Is there a problem using both - either separately (one active at a time), or simultaneously? Last, for non browser apps, is there a standard way to check if they're using Tor (say, Thunderbird or other apps), as the check for browsers? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Any problem installing TBB Vidalia bundle on same machine?
On 8/11/2011 11:08 AM, Phillip wrote: I'm still sticking to Torbutton - I prefer the flexibility of being able to switch it on and off when I need, rather than launching a new browser. That being said, I frequently run Tor with Firefox at the same time as my e-mail client (all of which is routed through Tor). As long as Vidalia's opened, you should be able to use multiple programs with Tor simultaneously. With Thunderbird, you can check by sending a test e-mail, even to yourself, then looking at the source. It's working if you get something that looks like this: Received: from [0.0.0.0] (tor-exit-router45-readme.formlessnetworking.net [199.48.147.45]) by mx.google.com with ESMTPS id v16sm1593516ibf.42.2011.08.11.09.06.31 (version=SSLv3 cipher=AES128-SHA); Not sure about other apps like Pidgin etc. Is there a problem using both - either separately (one active at a time), or simultaneously? Last, for non browser apps, is there a standard way to check if they're using Tor (say, Thunderbird or other apps), as the check for browsers? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Thanks Phillip. I'll try that w/ Tbird. But, still like to know if can install both vidalia bundle Tor browser bundle at same time (even if not running at same time). Like you, I might have other apps I want to run thru Tor, but don't necessarily want Tor browser open. Or if TBB hangs have to close, then any other apps running thru Tor lose their connection / anonymity. According to what I've read here, development / security of Tor button is not high priority anymore trying to phase it out. However, not having ability to run Tor w/o a browser open has some drawbacks. You don't need Tor button to user Tor for another app, as long as you can verify it's using Tor. That's why I asked about installing both. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Any problem installing TBB Vidalia bundle on same machine?
On 8/14/2011 12:30 AM, Roger Dingledine wrote: On Sat, Aug 13, 2011 at 05:34:08PM -0500, Joe Btfsplk wrote: But, still like to know if can install both vidalia bundle Tor browser bundle at same time (even if not running at same time). Installing both at once is no problem -- TBB doesn't require any install, so there's nothing to conflict. But running both at once won't work currently: the Tor in each of them tries to bind to the same ports, so the first one to run will win and the second one to run will lose. We're actually trying to fix that so they can be run together though. Keep an eye on upcoming TBB announcements. Like you, I might have other apps I want to run thru Tor, but don't necessarily want Tor browser open. I agree. I wonder if we should come up with some option in the TBB Vidalia 'advanced' window, along the lines of don't close TBB when Firefox closes. Vidalia is working on a plugin approach, so for example that checkbox might become an option in the TBB panel in Vidalia. --Roger something like an option / preference don't close TBB when Firefox closes sounds like a solution. Technically, it'd be don't close Tor / Vidalia wouldn't it, because TBB includes Tor? Firefox in TBB is dependent on Tor, but Tor (in TBB) doesn't necessarily have to be dependent on Firefox running. Installing both, running one, shutting it down, starting the other is doable, but kinda pain. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tor Browser Bundles with Firefox 6
On 8/21/2011 5:51 AM, Runa A. Sandvik wrote: Hi everyone, We've updated the experimental Tor Browser Bundles to Firefox 6 and all users are strongly encouraged to upgrade, as Firefox 6 fixes some serious security issues present in Firefox 5. See https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-6 for more information and download links. Thanks. How experimental are they? They are alpha releases, after all. For most software, alpha releases are only intended for testing (most developers stress that point). For something involving privacy / anonymity (depending on where you live), is using an alpha version for every day use advisable? Yes, Firefox 6 fixes security issues, but TBB is alpha. I've always wondered about Tor Project's (perceived) different opinion that users should switch to a , b versions - vs. other developers' caution about using them. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tor Browser Bundles with Firefox 6
On 8/21/2011 2:28 PM, Justin Aplin wrote: On Aug 21, 2011, at 2:53 PM, Joe Btfsplk wrote: Thanks. How experimental are they? They are alpha releases, after all. For most software, alpha releases are only intended for testing (most developers stress that point). For something involving privacy / anonymity (depending on where you live), is using an alpha version for every day use advisable? Yes, Firefox 6 fixes security issues, but TBB is alpha. What you're doing here is switching from a bundle of software that has *known*, readily-exploitable security issues, to a bundle which fixes those particular issues but *might* have unknown security issues. Some of these unknown issues may have also existed in the previous version(s), some may be new. Since software will rarely, if ever, be exploit-free, by upgrading in this manner you're taking a small risk of opening yourself up to new exploits in order to greatly reduce your risk of being exposed to current ones. I've always wondered about Tor Project's (perceived) different opinion that users should switch to a , b versions - vs. other developers' caution about using them. In my experience, developers usually say this because they don't want to be held responsible (read: blamed) for compromising the stability of production machines. This applies to Tor as well, since the alpha and beta branches tend to crash more frequently than the stable branch does. But since the alpha and beta branches tend to include new features, and since the majority of new features in Tor are geared toward improving security, the same logic as above applies. ~Justin Aplin Thanks. In this case, I understand about FF 6 Tor Project wanting to move to it. Re: Tor w/ FF 6. Firefox 6 fixes known issues. The main purpose of Tor is anonymity, not protecting against browser attacks - yes? (though using the latest browser is good, for browser safety). But, isn't using an in thoroughly tested Tor version more risky from an anonymity point - ? (the risk level depending on where you live, i.e., what's the worst that could happen if I get found out). For people living in highly repressive countries, would the bigger concern be relatively assured anonymity, visiting an anti gov't site or preventing a browser attack? For me, it might not be a big issue - not so sure about some other countries. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] release note for latest browser bundle
I've looked all over. Where can full release notes / change logs be found for latest releases of TBB (alpha, beta or stable). All I've found is brief summaries of main items. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release note for latest browser bundle
On 8/24/2011 7:03 PM, Joe Btfsplk wrote: I've looked all over. Where can full release notes / change logs be found for latest releases of TBB (alpha, beta or stable). All I've found is brief summaries of main items. Thanks. No official release / changes notes for TBB Tor? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release note for latest browser bundle
On 8/27/2011 8:32 AM, and...@torproject.org wrote: On Sat, Aug 27, 2011 at 08:07:20AM -0500, joebtfs...@gmx.com wrote 0.4K bytes in 12 lines about: : On 8/24/2011 7:03 PM, Joe Btfsplk wrote: :I've looked all over. Where can full release notes / change logs :be found for latest releases of TBB (alpha, beta or stable). All :I've found is brief summaries of main items. : No official release / changes notes for TBB Tor? This is all we have, https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/README At the bottom is the changelog. I looked around in the area you linked. It was an earlier version. Don't find a readme or changelog for TBB 2.2.31-1a. All I find is on the blog- https://blog.torproject.org/blog/ , shown below. Are these all the changes from previous release? *Tor Browser Bundle (2.2.31-1) alpha; suite=all* * Update Tor to 0.2.2.31-rc * Update Firefox to 6.0 * Update Libevent to 2.0.13-stable * Update NoScript to 2.1.2.6 * Update HTTPS Everywhere to 1.0.0development.5 * Remove BetterPrivacy until we can figure out how to make it safe in all bundles (see #3597) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] release note for latest browser bundle
On 8/27/2011 11:14 AM, and...@torproject.org wrote: On Sat, Aug 27, 2011 at 09:14:39AM -0500, joebtfs...@gmx.com wrote 1.3K bytes in 33 lines about: : Don't find a readme or changelog for TBB 2.2.31-1a. All I find is : on the blog- https://blog.torproject.org/blog/ , shown below. Are : these all the changes from previous release? You are right, I opened a ticket, https://trac.torproject.org/projects/tor/ticket/3827 Attaboy, Andrew. One Attaboy is good for a $10 disc't off purchase of $5,000 or more at Lowes / Home Depot. Offer not good on anything you might actually want. Good to know we've got a man on top of things. :) Kidding aside, thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 7:55 AM, Achter Lieber wrote: - Original Message - From: Roger Dingledine Sent: 09/01/11 03:47 PM To: tor-talk@lists.torproject.org Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others) New bundles are out now: https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps now is a great time for you to learn how to verify the signatures on Tor packages you download: https://www.torproject.org/docs/verifying-signatures Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 9:57 AM, David Carlson wrote: On 9/2/2011 9:28 AM, Joe Btfsplk wrote: Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk I believe that the point of Roger's message was that you or I may not really be downloading the package from TorProject, if we are using SSL that is authenticated to a fake certificate. Thanks. I'm sure many would appreciate a bit more explanation what ...if we are using SSL that is authenticated... means, in this case. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 12:11 PM, Seth David Schoen wrote: Joe Btfsplk writes: Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? How do you know it was really the Tor Project server? I'm not sure. How do I know when I open an HTTPS bookmark link to my bank, that it's my bank? I don't go through a (manual) signature verification process when signing in, or d/l anything from a bank, CC or investment company. Are you answering a question w/ a question? I asked 1st :) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 4:46 PM, and...@torproject.org wrote: On Fri, Sep 02, 2011 at 01:31:53PM -0400, col...@averysmallbird.com wrote 4.5K bytes in 109 lines about: : According to a number of bloggers(1), torproject.org was include among those Here's another blogger for your list, https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it Thanks for all replies on this. I read over several linked articles. Honestly, many avg users won't / can't take time to read it all may not understand it. Question - obviously, Tor isn't the only software or site that could be targeted. What's to prevent necessity of verifying signatures on every d/l software, even mainstream, major developers (if they made it possible)? And if they don't, why wouldn't users of other software be at same risk? Just because we haven't heard about XYZ software fake certificates, does that mean anything? Sure, verifying Tor may be prudent, but what if users have to verify signatures on all software (if available)? Unless it becomes a more automated process, avg users wouldn't devote that kind of time. I'm just asking here - other than entities (gov'ts?) targeting anonymity software (for now) what prevents this issue from becoming widespread? If I download an update from MS - how do I know it's the authentic pkg from the real MS? There's no authentication (or even check sums) for d/l Firefox, IE. Only a small % of all developers offer these capabilities. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/7/2011 3:42 PM, Marsh Ray wrote: On 09/07/2011 03:19 PM, Julian Yon wrote: My bank forces me to enter part of my password using unobscured dropdowns for security. Sure, it avoids keyloggers, but what about *someone standing behind me*? Do they have a gun? Otherwise, cover the screen with your hand or ask them to look away. Realistically, this is nowhere near the biggest threat these days. It's mostly a holdover from security guidance from shared computing labs and pre-internet days. Yes, be aware of your physical surroundings. No, don't think that it keeps you one bit safe online, unless you're that special case where your adversary is physically present. - Marsh Respectfully, I think some may have missed the point of (part of) my earlier comments Julian's about PWs. Admittedly, we got off topic. It has nothing to do w/ Tor or fake certificates. So, for me, feel free to drop the topic about lack of PW security. But, the WHOLE point of my comments was (certificates, PWs, whatever), corporations say they are using highly secure methods technology online, when in fact they often aren't. And yes, I have complained gotten the canned replies, we take customers' security online safety very seriously use high security standards... My point was ( I think Julian's) was, aside from certificate issues, various practices of many sites where security is vitally important, their WORDS ~ we take customers' security online safety very seriously use high security standards..., and their ACTIONS don't match. It's not a matter of if one * could * cover their screen when typing an exposed PW, it's that it's generally a bad idea, that could be easily corrected. Limiting PWs to 10 alpha numeric chars (w/ NO spec. chars) is a bad idea AFAIK, there's no reason a multi bill. corp. like Vanguard invstmts couldn't allow more chars special chars. I also asked a question about options for users, when they are confronted w/ a warning that the site's certificate authenticity can't be verified? If it's your bank you need to transact business - THAT day - what can you do except call * maybe * talk to IT? If they can confirm they're aware of problem, one could probably feel safe in accessing the site anyway. What if you can't reach IT? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TB-1.4.2
On 9/9/2011 7:20 AM, Greg Kalitnikoff wrote: Is there a way to not to close Vidalia and Tor itself with browser exit? Or open TB`s Firefox separately fully functional, with New identity option? When I need to restart FF or when it crashes, it is very inconvenient to start all cycle again: Vidalia-Tor connect-Browser. I realize that it is the only reason for me right now wny I run Firefox separately (though that one which TB contains). Hi, I don't believe so. I asked the same thing a few wks ago, because of running other apps thru Tor, when didn't necessarily want / need TBB open. Or, if TBB hangs / crashes, don't want to lose Tor connection on the other app(s). Answer I was given - Tor/ Vidalia TBB can be installed on same machine, because TBB runs out of it's own folder (or off a USB drive) uses separate Firefox profile. Running both at SAME time could be a problem (don't remember that part of answer), but haven't tried it out yet. I've slept since then, forgot exactly what one of the gurus said - ** if TBB Tor - Vidalia bundle could be RUN at same time (perhaps w/ some mods)? ** I'd appreciate a refresher on that.:) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Any problem installing TBB Vidalia bundle on same machine?
On 8/14/2011 7:47 PM, Justin Aplin wrote: On Sat, Aug 13, 2011 at 05:34:08PM -0500, Joe Btfsplk wrote: But, still like to know if can install both vidalia bundle Tor browser bundle at same time (even if not running at same time). Alternatively, as a hackish fix, you could modify your permanent installation to bind to ports that won't conflict with TBB. Off the top of my head, I think you'd want to pick non-default values for ControlPort and SocksPort in your torrc (with matching values in Vidalia), as well as a non-default value for proxyPort in Polipo's config file, and changing socksParentProxy (also in Polipo's config file) to point to the new value you've given to torrc's SocksPort. *I don't have TorButton to fenangle with * on this computer, but I'm sure somewhere in its options or in about:config you can change the port it looks for Polipo on, or plug it directly into Tor's socks port if you're not using Polipo. The ultimate goal here is to have your permanent installation of Tor/Vidalia/Polipo/ * Firefox/TORBUTTON * use a completely different set of ports than TBB. Like I said, hackish, but the result should be worth it if you use both often. ~Justin Aplin Justin, after re reading your suggestion few times, realized we don't seem to be talking about same thing. I didn't mean running TBB a ver of FF w/ Tor / Torbutton. I meant TBB and just Tor / Vidalia/ Polipo (no Firefox, Torbutton involved), so other apps could be torrified, but not w/ Firefox running. So any reference to Firefox / Torbutton don't apply to what I others wanted to do: Have a separate installation of Tor / Vidalia run other (non browser) apps thru Tor - whether at same time TBB is running or not. Preferably, WHILE they're both running (TBB and Tor /Vidalia - sans Torbutton). Maybe you did understand me, but I didn't understand reply! Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] question about socks 4, 5
was playing w/ latest TBB seeing how other apps (like email - Tbird, or other apps) behaved, just to experiment. 1) Question about changes in proxy settings of late(er) TBB (Aurora - FF 6) use. Notice that ONLY things filled in on network settings page is: - Manual Proxy Config is checked, - under SOCKS host, 127.0.0.1 is used, and PORT 9050 used. - SOCKS 5 is checked. Obviously, changes from past Tor. I saw msgs in TBB / Vidalia log (which unfortunately, I didn't figure out how to save - it's gone once TBB shuts down), to effect of (pardon my poor memory): An (or some) applic. is trying to do on SOCKS 5... which ~ may compromise anonymity... Consider using SOCKS 4 instead, ... or use Polipo (Privoxy?) Question isn't about ONE app, but in general. If trying to torrify other apps, how do you know (now) WHICH settings to use in connection settings for that app(s)? HTTP, SSL, SOCKS 4 / 5? Or some combo of one or more of these settings which Proxy or Port for each? By that, mean by CURRENT ways that Tor / TBB work, not outdated help / FAQ articles (sorry). Some help files articles are out of date no longer apply for some settings. Could be wrong, but don't think instructions on https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail have changed in * long * time. Have to say, Tbird instructions on above link could be a * LOT * clearer. I'm a technical person (not a coder) have a hard time following it all. Definitely not written for avg users: Mozilla Thunderbird Thunderbird has native SOCKS5... 3proxy as a POP3 proxy First, you need to configure and start 3proxy as a pop3 proxy with redirection to tor. Create a configuration file (plain text) like this: # put 3proxy in background mode. For Windows replace with service daemon... I'm sorry, but don't really follow all the article don't know when it was updated - no date!!! Haven't gotten around to trying to install both latest TBB AND Tor bundle or run * at same time, * on diff ports - but need to. Life doesn't stop because TBB is open. There could be times when I'd really like to run other apps thru Tor WHILE running TBB. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Fw: Hotmail with Tor [is their a solution!?]
On 9/26/2011 5:34 PM, William Wrightman wrote: --- On Mon, 9/26/11, Joe Btfsplkjoebtfs...@gmx.com wrote: From: Joe Btfsplkjoebtfs...@gmx.com Subject: Re: [tor-talk] Fw: Hotmail with Tor [is their a solution!?] To: tor-talk@lists.torproject.org Date: Monday, September 26, 2011, 1:08 PM I don't use Hotmail, but it may / may not be related to javascript. Either way, make sure that (at least) session cookies are allowed to be set for HM. -Cookies work as per usual. For grins, after disabling NOScript, look in about:config, type javascript in search, see if any are still set to deny javascript, even though may have disabled / uninstalled an addon. Uninstalling them (assume disabling, too) does NOT always reset the preferences they changed back to default. It should, but doesn't always. -I disabled JavaScript and there were a few options that were false which I set to true: javascript.options.mem.log javascript.options.methodjit_always javascript.options.strict network.protocol-handler.external.javascript However did this not solve the problem - same behaviour as previously. Are you using the same install same profile of FF w/ Tor, as used for everyday use w/o Tor? Or is it a separate FF / profile, w/ diff addons or plugins, that you're running w/ Tor? -Same as I use for all other Tor browsing. Look at the error console to see what, if any, errors show when trying to load the pages that show basically blank. AFAIK, if FF has problems w/ a page, it will log errors in error console. If given option, try changing the viewing mode of msgs to text only. -No errors but lots of warning messages: Warning: reference to undefined property e[d] Source File: https://login.live.com/pp1100/js/WLWorkflow.js?x=11.0.18474.0 Line: 9 Warning: assignment to undeclared variable HM_CustomLogo Source File: https://login.live.com/pp1100/js/WLWorkflow.js?x=11.0.18474.0 Line: 46 Warning: assignment to undeclared variable LM_HIPLogin Source File: https://login.live.com/pp1100/js/WLWorkflow.js?x=11.0.18474.0 Line: 29 Warning: assignment to undeclared variable LM_LockOut Source File: https://login.live.com/pp1100/js/WLWorkflow.js?x=11.0.18474.0 Line: 29 Warning: assignment to undeclared variable FNode_Disabled Source File: https://login.live.com/pp1100/js/WLWorkflow.js?x=11.0.18474.0 Line: 48 Also a TorButton error: Warning: window is read-only Source File: chrome://torbutton/content/torbutton.js Line: 4412 Many thanks - any more suggestions? William, as suggested, not sure if js purely by itself is the problem. What's IN the error / warnings is important. I do NOT claim to be an expert on the warning msgs in FF error console. By any chance, have you tried the latest Tor browser bundle, to see if this problem is related something like Torbutton or some thing to do w/ Tor pkg vs TBB? You don't have to install TBB -unzip to folder or USB drive, etc. Just (for now) don't run TBB Tor pkg at same time. See if TBB allows viewing the email msgs. You didn't say if started FF in safe mode (disable all addons / plugins), then started Tor? Maybe not here, but addons can cause lots of problems. It's been a while since I played w/ settings in Torbutton, but many have run into pages occasionally that don't work w/ Tor. Sometimes error is discovered - sometimes not. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] observation: Browser bundle secure files deletion
I've thought about TBB it insecurely deleting files such as cache when closing TBB Firefox. I assume this is what happens - I've investigated - a BIT - seems that's what it does. *Is this correct?* If true, there's no opportunity to securely wipe the files, rather than them being insecurely deleted - unless I'm mistaken. AFAIK, Tor has no secure wiping capability built in. Don't remember reading in documentation, either that users should be aware of this take appropriate action, or that TBB already handles it securely. Also, no mention of a list of files TBB deletes on shut down, that users might consider the possibility of data being recoverable. If true, the only way to wipe any sensitive info (Ex.: so a repressive gov't can't recover info from HDD), would be use a prgm to wipe free space on the partition containing TBB. If it is installed on a flash drive, that could be wiped, but principal is still the same. Since many users install most everything to C:\ - esp. in Windows (in TBB case, unzip to a folder), then wiping free space process on the OS partition - which MAY be the whole HDD for some users, ALWAYS involves some risk to file(s) corruption. I've never had a disaster wiping free space, but forums like Eraser, CCleaner others are full of posts about the process (apparently) severely damaging the OS. If my assumptions are correct, 1) Have TBB developers considered the issue of some deleted info from sessions, being recoverable? 2) Other than wiping free space, (which takes time) are there other suggestions for avg users to realistically deal w/ this? It doesn't affect me so much, but in repressive countries, it may warrant consideration. I'd think for users wanting to securely wipe free space, it'd be best to use TBB on flash drive or a small partition on HDD. It's possible ? w/ a proper list of files, the files in question MIGHT be securely deleted BEFORE closing TBB, but many wiping prgms would have problems wiping active files. It probably can be done w/ enough knowledge right tools, but most users aren't aware of steps needed, and would not regularly go to that trouble (or forget). Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 9:22 AM, Julian Yon wrote: On 04/10/11 15:00, Advrk Aplmrkt wrote: I had the exact same question about secure delete. Also, securing wiping the computer's memory is important, as sensitive data could be recovered from RAM even *after* power off... TAILS handles this: http://tails.boum.org/ Using TAILS may involve a compromise, as it seems to still be on FF 3.5, whereas TBB has moved on. Like any security issue you would have to make a decision based on your own threat model. Thanks to both. Advrk - Good point. I'm no pure expert, but seems I've read if computer is POWERED off for ? several minutes, most RAM will be cleared. Even if true, it's a bit inconvenient. IMO, the RAM issue doesn't have as much widespread potential impact as things like cache other files not being securely deleted. ** I see that default Cache Space in Aurora is set = 0. What about people w/ slower machines that REALLY need cache? Of those needing it, I'd guess a good number * need * to securely delete it, whether they're aware or not. Julian - TAILS handles what? Clearing RAM or securely deleting files in FF containing personal data? TAILS may be GREAT, but TBB users probably shouldn't have to rely on 3rd party apps to be secure (esp. in countries where using TBB, that the whole point of using it is (close to) complete anonymity therefore security. They probably shouldn't have to use a 3rd party wiping prgm. Leaving files behind w/ incriminating info (from a repressive gov'ts view) isn't secure or anonymous. Regarding deciding on your threat model - one of my points is, even many Tor / TBB users don't KNOW anything about secure / insecure deletion of certain files when TBB is closed. This could also involve Vidalia / Tor files in TBB. Some don't know what a threat model is. If we're assuming only advanced users should be using Tor / TBB, then everything's fine. I'm almost positive that's NOT the developers' assumption / position. I haven't investigated far enough yet to know what TBB / Aurora will do if under Options Privacy, you check the box: Clear history when Aurora closes, then UNcheck most of the items under the settings. Then after closing TBB, use a wiping prgm w/ pre configured task to wipe the files / folders you want. Again, avg users would have to be instructed - in plain language - not computer speak. A lot of users would * need help * knowing which files to delete that might contain personal / private data. Perhaps a list of all files potentially containing personal / private / browsing data could be listed - VERY PROMINENTLY - where all users would see it some instructions on how to securely delete them. Firefox no longer shows the Delete Private Data box at shutdown, but an addon Ask For Sanitize brings back that box, so one can see / change what's being (insecurely) deleted at shutdown. Or choose not to delete anything, then use a wiping prgm to del files. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 2:20 PM, Julian Yon wrote: Generally it's polite to read the information you've been given before responding at length. As you have not, I don't see much point in continuing trying to help you. Sorry to have to put it like that, but I'm chronically ill and don't appreciate having my time and energy wasted. Julian I'm very sorry to hear that you're ill - so am I. I hope you get to feeling better, if not get over your illness. Best wishes, ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] observation: Browser bundle secure files deletion
On 10/4/2011 4:38 PM, Robert Ransom wrote: On 2011-10-04, Joe Btfsplkjoebtfs...@gmx.com wrote: I've thought about TBB it insecurely deleting files such as cache when closing TBB Firefox. I assume this is what happens - I've investigated - a BIT - seems that's what it does. If you have evidence that TBB-Firefox stores sensitive information to disk without a user asking it to, please file a bug report. One of the main design goals of Torbutton was to prevent Firefox from ever writing sensitive information to disk (unless a user has specifically asked it to, e.g. by changing Torbutton's configuration or adding a bookmark to Firefox). See section 1.2 of https://www.torproject.org/torbutton/design/ . *Is this correct?* I can't tell because you didn't tell us what files you think TBB-Firefox writes which contain sensitive information. If true, there's no opportunity to securely wipe the files, rather than them being insecurely deleted - unless I'm mistaken. AFAIK, Tor has no secure wiping capability built in. Neither Tor nor TBB attempts to securely erase files, because most filesystems in use on most operating systems (and many modern storage devices) make securely erasing files infeasible. Robert, your points are well taken [repeatedly :) ]. You overlooked some possibilities or I wasn't clear. *One * example: Using TBB, if no sites one wants to visit require cookies to operate correctly - or at all, that's fine. But lots of sites won't work correctly w/o cookies. The assumption is perhaps cookies from sites that might get someone in trouble, but is just as important to some users simply for privacy / anonymity. If cookies must be allowed - even if only for a site - w/ default settings of NOT to clear history when Aurora closes, in Aurora, then deleting those cookies - either thru Aurora delete history settings / UI or manually deleting the cookies file in the profile, won't securely delete them. You're assuming users will never have to change (any) default setting in TBB to make sites *work.* If that were true, things would be much simpler. I agree, using default settings is best, if possible. Another assumption seems that all machines have enough RAM CPU speed / power, to navigate / access some sites using Tor / TBB, and it not be excruciatingly slow (or impossible), w/o using cache. Not everyone in the U.S., much less Iraq / Iran can afford a newer, faster machine. It would be better if TBB users don't allow caching. For older, slower machines, streaming political videos would be difficult w/o caching. If they just clear cache, it will be insecurely deleted. Maybe they could d/l the file, but if they want to securely del it after (that doesn't concern TBB, per se), they need to use secure wiping. I'm assuming the comment about infeasibility of securely erasing files on modern OSs, is based partly on 1) TBB being on same partition as the OS; 2) volume shadow service (Win) or similar is in use on the partition where TBB is running or files being stored (if any are). Many users have only 1 partition - many don't. I haven't read that that securely wiping * files or free space * on ANY partitions (meaning, none) can ever be effective, IF simple precautions are taken simple instructions are followed (esp. ones not involving the OS partition). If you know of credible documentation that under NO circumstances, can data be securely permanently deleted from any location on machines, I truly want to read it, because it will change some of my practices. Like for certain financial files, medical records, letters to doctors, etc. I think ? what you mentioned is one reason not to install TBB (or any other apps or store files) on OS partition, if want to securely permanently del info. Another option is to run apps in sandboxed environment. That's why I don't store my vanilla Firefox profiles on C:\ w/ Windows. Otherwise, if VSS is enabled, private data gets stored in it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [S_ _ _] Please vote for Torservers so we get 1000 Euro
On 10/6/2011 6:26 AM, Moritz Bartl wrote: Hi, I am afraid we are slowly but steadly running out of funds so I am now taking desperate measures. ;-)... Vote here if you are okay with it: https://verein.ing-diba.de/sonstiges/01099/zwiebelfreunde-ev We will use the donation to fund our Tor exits, obviously :-) I REALLY don't know the exact, correct protocol for Tor Project personnel / volunteers on something like this - * just * asking. Trying to educate myself a bit ( perhaps others). This is a very worth cause - I would have no problem voting. But in the tradition of Tor security in light of all recent discussions about faked SSL certificates, shouldn't you have included your public key, esp. when asking reader to follow a link from email - concerning such a topic? It was marked spam by my provider (I removed from subject). I'm fairly sure it is really you, Moritz, (though no way to tell) but it is an unsolicited / unexpected link through email. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser Bundle: PGP encryption built-in?
On 10/10/2011 2:44 AM, Robert Ransom wrote: No. See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but beware -- I'm sure katmagic and I missed a few dozen attacks. You're correct - that is, the https site you link has an unsafe certificate, * per msg * in Firefox 7: tails.boum.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer) Anyone else seeing same security msg? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] notice - newer ver available just after install latest TBB
NOTE: my 2nd reply to Andrew's response - still getting update available after installing (latest) latest TBB. Tor-talk must be down - not seen new msgs in a while. On 10/12/2011 10:05 AM, and...@torproject.org wrote: On Wed, Oct 12, 2011 at 09:47:26AM -0500, joebtfs...@gmx.com wrote 0.5K bytes in 11 lines about: : Immediately after extracting / starting the latest stable TBB : 2.2.33-2 (today) from : https://www.torproject.org/download/download-easy.html.en, Aurora : popped a msg saying a newer version was available. Unless the : website is messed up on latest version, then seems like some bug : in the version checking for TBB? What time did you get the notice on check? The updated version file was in place at 2011-10-12 12:53 GMT. Prior to that time, you may have hit a false positive result. Downloaded what now appears to be latest - latest TBB - 2.2.33-3 extracted. When start TBB, it's still prompting w/ an update is available for TBB. When click link, the ver it shows is same I just unpacked 2.2.33-3. Yep, I'm sure that's the one I started, when getting this msg. Looking in the folder where files were unpacked - in readme - clearly states ver is 2.2.33-3. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] notice - newer ver available just after install latest TBB
On 10/13/2011 3:48 AM, Mike Perry wrote: Thus spake Koh Choon Lin (2choon...@gmail.com): Hi the same think happened for me... after downloading the nwe version and running TBB aurora come out with the same message of update... Second that. What URL are you guys being sent to on check.torproject.org? Have you tried restarting Tor Browser in the past couple hours? You need to restart to actually perform the versioncheck... I think you misunderstood the later posts after OP - the REAL latest - latest TBB ver was downloaded on FIRST start gave the notice an update was avail. I believe others said it's fixed now (thanks) - but w/ the orig details of problem, there shouldn't be any need to install a new ver immediately RESTART it to stop false warnings. That makes no sense. It wasn't just that it DID a ver check on 1st start, but said a new ver was avail, when it wasn't. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] using themes in Aurora
Using addons, plugins, etc. of ALL sorts is a touchy subject regarding Tor anonymity. I'm wondering about use of Firefox themes addons like Tab Mix Plus? Any thoughts on the topic? I give the native theme in Aurora / Firefox (7) low marks for usability, including overall tabs functions / features - (nothing to do w/ Tor developers). It's difficult going back forth from Aurora to Firefox once I am used to a theme in vanilla FF providing better usability visibility - esp. if you don't have 25 yr old eyes. AFAIK, themes addons that simply change the GUI don't send / receive any info or contact sites, aren't a threat to Tor's anonymity? Tor controls to allow / don't allow updates, anyway. So, I'm guessing themes / addons that don't phone home aren't a problem w/ Tor, but need to verify this. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] still problems - update available
On 10/14/2011 9:44 AM, Joe Btfsplk wrote: Someone said the problem of inaccurate notices from TBB that an update was available was fixed. This morning, I'm still getting the notice. This is the page it accesses if click link in Aurora: https://www.torproject.org/download/download-easy.html What * exact file data * is the version check using in TBB to check against latest avail. versions from Tor Project? I looked at several files - from the version I'm launching - (I * cold booted * machine overnight). The files indicate I'm indeed using v2.2.33-3 - which also appears to be latest on Tor Project site. From my path of TBB being launched: D:\Program Files (x86)\Security\Tor Browser 2.2.33-3\Tor Browser\Docs\changelog - it clearly shows * v2.2.33-3 * : Tor Browser Bundle * (2.2.33-3) *; suite=windows * Update Vidalia to 0.2.15 * Update Torbutton to 1.4.4.1 * Update NoScript to 2.1.4 * Remove trailing dash from Windows version number (closes: #4160) * Make Tor Browser (Aurora) fail closed when not launched with a TBB profile (closes: #4192) must be some problem why my copy keeps thinking there's a new ver available, when doesn't appear to be the case. Any ideas? I also d/l a 2nd copy of TBB 2.2.33-3 compared using WinMerge, to one I d/l earlier ( using) - the files were identical. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] using themes in Aurora
No one's EVER looked into Tor security issues of using themes (from Mozilla addons site) or Firefox GUI enhancement addons, like Tab Mix Plus? On 10/13/2011 12:36 PM, Joe Btfsplk wrote: Using addons, plugins, etc. of ALL sorts is a touchy subject regarding Tor anonymity. I'm wondering about use of Firefox themes addons like Tab Mix Plus? Any thoughts on the topic? I give the native theme in Aurora / Firefox (7) low marks for usability, including overall tabs functions / features - (nothing to do w/ Tor developers). It's difficult going back forth from Aurora to Firefox once I am used to a theme in vanilla FF providing better usability visibility - esp. if you don't have 25 yr old eyes. AFAIK, themes addons that simply change the GUI don't send / receive any info or contact sites, aren't a threat to Tor's anonymity? Tor controls to allow / don't allow updates, anyway. So, I'm guessing themes / addons that don't phone home aren't a problem w/ Tor, but need to verify this. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] using themes in Aurora
On 10/14/2011 1:28 PM, Andrew Lewman wrote: On Friday, October 14, 2011 12:49:32 Joe Btfsplk wrote: No one's EVER looked into Tor security issues of using themes (from Mozilla addons site) or Firefox GUI enhancement addons, like Tab Mix Plus? You could be the first! My first step would be to see what information is sent back to mozilla's getpersonas.com site by the theme. What type of info by what mechanism would you be looking for, that's sent to MAO site? There was long discussion in the recent past about updating addons / FF in a Tor or TBB session. FWIW, looks like the DEFAULT setting in Aurora (TBB 2.2.33-3) under OptionsNetworkUpdate, is to automatically check for addons updates (by design or mistake), but NOT to check Firefox updates. Now, whether NoScript in later TBB versions over rides all that, don't know. Either way, checking for themes addons updates is same Mozilla site. I don't think info sent to MAO site for themes would be diff than other addons. Except for a very few addons that take you to external pages, once addon is installed / updated. But, auto check for addons can be manually DESELECTED, once an addon / theme is installed. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] still problems - update available
On 10/14/2011 7:07 PM, Mike Perry wrote: Thus spake Joe Btfsplk (joebtfs...@gmx.com): On 10/14/2011 3:07 PM, Mike Perry wrote: The problem w/ the startup page showing there was a new version, was I copied my old profile (say from 2.2.32-4) into the latest TBB ver profile folder. Something perfectly normal acceptable in Firefox. Why would I want to reconfig the Aurora UI ( things like not show suggestions when typing in address bar, font size, etc.), or reinstall reconfigure the few extensions used in TBB - every time a new version comes out? I would argue that you're actually doing it backwards. Firefox copies over your existing files with the new version. Thanks. Good to know there's a bug already filed on my problem. Anyway, changing the torbrowser.version value to correct new version, temporarily fixed the new version notification. For tonight, I'll only answer this one of your stmts. You were probably thinking only of users w/ a single profile probably in the default location install in the same folder as previous ver. I have / do none of those. When installing a new Firefox version, if you have multiple profiles want to use a specific one, you often must either specify thru profile mgr which to use, copy (or restore from a BU) a profile over to the new install or copy / restore selected files the user chooses. In the latter case, there's no choice except copying / restoring. Firefox doesn't copy any files - it just uses the last active profile, AFAIK. One reason to BU / restore the old profile, is if updating, some files in the existing profile can get corrupted. I've had it happen a few times thousands on Mozillazine forums have. In the case of TBB, UNLESS you're extracting over the top of the existing version (I don't), I don't see how it will pick up the previous profile. I haven't tried it w/ TBB - not sure what it'd do. Maybe TBB is configured that way, but you're not installing anything - just extracting files. TBB comes w/ a pre configured prefs.js file - as I discovered. Which prefs.js would win, if extracted a new ver to the old folder? I imagine for duplicate files, 7Zip would ask to confirm which file to keep. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] German police keylogger analysis (and the effects on Tor are....?)
On 10/16/2011 3:05 PM, Julian Yon wrote: On 16/10/11 17:57, William Wrightman wrote: When you have finished then you close the partition. Now the password is cleared from the RAM. Thoughts? If you (or someone you ultimately trust) didn't write or audit the code yourself then you are making a huge assumption there. Julian From what I've read in past (for Windows machines) from software docs like True Crypt, data isn't kept in RAM indefinitely after powered off - for a while. Exactly HOW long it takes for RAM to clear, not sure (it wasn't hours hours, from what I read). If you're thinking the police might break down your door, I'd either stop doing anything remotely illegal where you are, or invest in REALLY strong, steel doors, look into prgms specifically designed to overwrite / clear RAM. If the computer was on someone broke in, brought a power supply to keep machine(s) powered up until get them to a research lab, then I guess theoretically they could recover stuff from RAM as well. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Anybody else having problems with Hushmail via Tor?
On 10/21/2011 11:52 PM, Jim wrote: Hi All, Perhaps a few days ago when I was trying to access Hushmail via Tor I was told my computer was blocked, possibly because of abuse. A quick modification of torrc to exlcude a few particular exit nodes let me access Hushmail. Afterwards, I reverted torrc, removing the exclusions, and I have subsequently used Hushmail several times w/o problems. Tonight I am having problems again and this time I am seeing the problems on a number of different exit nodes. I am wondering if essentially the whole Tor network has become poisoned as far as Hushmail is concerned. Is anybody else seeing any problems? Don't know for sure, but it's possible for a given time period / day, if Hushmail gets X people trying to access accts from same (Tor) addresses, they perceive it as possible hacking attempt or other malicious activity. They may not know it's a Tor address / node, just that they're getting multiple requests to access diff accts from same IP address. Just a guess. How many, if any, users access Hushmail via Tor on a given day from same IP address could vary day to day. Some email servers also don't like it if you use an exit node in foreign countries, diff from one used to set up the acct. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/1/2011 10:49 AM, Andrew Lewman wrote: On Tuesday, November 01, 2011 10:13:44 Joe Btfsplk wrote: *** BUT, on a 2nd SEARCH, w/ Google still selected as search engine, TBB does NOT show the screen, asking if you'd like to redirect to another search engine. You told torbutton you didn't want to redirect, so it doesn't for the rest of the session. No, I didn't. I told it * TO * redirect (which it did), I just didn't click the make it permanent box. By my thinking, the only way that notice should NOT have appeared again, during same session, is if I DID check the make it permanent box. Then it would automatically redirect each time. I told it to redirect once, w/o checking the make it permanent box. The next search thru Google, no pop up asking to redirect or not. Looking at included search plugins in TBB 2.2.34, search plugins included by default are Amazon, Ebay, Bing, Google, Wikipedia, Yahoo. It's the stock set of plugins that ship with Firefox. That's what I said. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/2/2011 4:40 PM, Advrk Aplmkt wrote: Joe Btfsplk joebtfs...@gmx.com 於 2011/11/2 12:06 寫道: On 11/1/2011 8:23 PM, Advrk Aplmkt wrote: Thanks Joe for the info. Yes, I *do* know how to remove search engines, including the method you described. However, I was suggesting that Google (and probably some of the other defaults) be not in the TBB to begin with, or at least not the default. I believe this would make TBB more consistent in providing a private browsing experience. I agree, Advrk. I hinted at the same in my reply. I wonder if this would violate some Mozilla agreement, since they get a large amt of $ from Google from including Google search as default search engine? (No such thing as a free lunch). Wasn't indicating any presence or lack of ability on your part to del search engines, just providing general info for anyone that might be interested. No need to indicate being personally offended by the bolded text. Most are here to offer helpful suggestions that may help many - not just OP, not to offend people. Cheers, Hi Joe, I definitely didn't take offense, and I apologise for sounding that way. In fact I really appreciate how informative this list is. :) As for the search engine, would it still violate Mozilla/Google agreements if the default search engine is changed by the Tor Browser packagers (and not by Mozilla)? And I thought Aurora is already Firefox minus Mozilla branding anyway? I have no concrete knowledge if it would violate any Mozilla agreements. I was just thinking out loud. But (all Firefox / Aurora users) can make other search engines the default just by moving another to the top of the list via Manage Search Engines. It's odd (to me) that the TBB developers take actions to avoid using Google for searches, but leave Google search engine in Aurora at all, unless there's good reason. Even if left out, users might add it back (why, I don't know). If they did, that would still require the redirect option to avoid Google. None of the developers have weighed in, so no telling. Maybe they never thought about removing it? Developers? Nothing's 100%, but detectives / investigative reporters often say, Follow the money, to get to the truth. Mozilla's very lucrative involvement with Google is no secret. It wasn't widely publicized for a good while. How or if that affects others modifying Firefox, no idea. I'm not accusing anyone of anything, but one thought is, if Tor Project isn't forbidden from taking Google search out they're receiving no revenue / consideration for leaving it in (even if they provide a way around using Google), what's the point of leaving it in, when so many other things that can compromise anonymity are excluded or disabled in Aurora? I would guess a fair # of less informed Tor / TBB users don't choose the redirect me option on Tor's Google captcha pop up, or don't fully understand why it appears. After all, they're used to seeing Google as the search engine on virtually every Windows machine they've used. Regards, ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/3/2011 3:53 AM, Advrk Aplmrkt wrote: On 2 November 2011 20:17, Julian Yonjul...@yon.org.uk wrote: As the GPL is one of the license options, there is no way that any contract or agreement between Google and Mozilla could possibly be binding on a third party. Mozilla do impose restrictions on use of their trademarks but as TBB uses the Aurora non-branding that isn't an issue. Julian I am inclined to consider the lack of privacy friendly default search engines in TBB as a bug. Yes removing Google as the default should be a trivial change. Could any of the developers comment on this? Thanks. Thanks Julian, That may be true. Still leaves Advrk's question why Google search is left in Aurora. My earlier posings are still unanswered (I certainly don't know the answers). A lot of effort is put into helping Tor / TBB users avoid compromising anonymity by using Google searches. Yet, the Google search engine is left in Aurora. It's a pretty simple question - why? No developers have commented - could be busy now. They do often comment on issues that possibly don't have as much impact on anonymity as this topic. If no one w/ * real * knowledge, comments on the reason(s) - (meaning, not just someone w/ a good theory) - then some would say, you have your answer. Google search engine is BIG business and big $. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/4/2011 9:54 AM, Christian Siefkes wrote: On 11/04/2011 03:43 PM, Joe Btfsplk wrote: A lot of effort is put into helping Tor / TBB users avoid compromising anonymity by using Google searches. Yet, the Google search engine is left in Aurora. It's a pretty simple question - why? How should using Google as search engine comprise your anonymity? Either you're anonymous, then you're anonymous on Google too. Or you aren't anonymous, then avoiding Google won't help you. Christian, I'm not sure I understand your viewpoint, but... Assuming you mean ( / or for others' benefit), simply installing Tor or using Tor Browser gives complete anonymity, it in no way guarantees or even promises complete anonymity. Tor Project is very clear about this. Here's * one * page to start users to understand what's involved. Maybe you already knew this. https://www.torproject.org/download/download.html.en#Warning But, no - there are many ways to * possibly * compromise anonymity while using Tor. Google searches are ONLY one, because they record search terms * any * possible info they can possibly squeeze out of your browser. If Google searches, when using Tor, weren't ANY kind of anonymity threat, the developers wouldn't have gone to substantial trouble to offer users a way to avoid them, when encountered. Google search engine records all search terms ANY other possible info about your browser, etc., they can possibly squeeze out. At the VERY least, some wouldn't want recorded their search terms certainly not the pages they visit after the search, whether using Tor or not. This is especially true if living in a repressive country. Why can't Tor be a complete solution to all anonymity problems? Because it's impossible for ANY one or entity to idiot proof anything, 100%. No matter what you're dealing w/, or how safe it's been made, someone will always find a way to shoot themselves in the foot. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/5/2011 12:47 PM, Christian Siefkes wrote: Avoid Google is not among that warnings, as far as I can see. You are correct - not from Tor Project anyway. They also don't say avoid robbing banks; don't stare at the sun, etc. About all I can advise is, read Google's (lack of) privacy policy. If you like it, use them. If you'd rather not have your search terms recorded also used for targeted advertising, then use another search engine that doesn't use those practices. Your choice. Aurora in it's default state doesn't prevent pop up advertising, in my experience. As far I know, they offer to redirect your search to a different site if they detect that Google shows you a captcha. Correct. If you like Google's privacy policy general business practices, use them. ...but I don't see a reason why they should make it difficult for people to google if they want to do so. Best regards Christian You can use Google search if you want. The captchas are presented by Google. See this Tor FAQ https://www.torproject.org/docs/faq#GoogleCaptcha Tor provides a way around not having to enter the captcha (sometimes several times, if difficult to read), by offering a redirect. In latest TBB 2.2.34, I don't know where alternate search engines for Google captchas are located in the bundle files. I haven't yet been presented a Google captcha while using 2.2.34 - so don't know which default alternate search engine will be presented. If you want to use Google when a captcha appears, don't click redirect just enter the captcha. FYI for others interested in changing the default alternate search engine on a google captcha redirect, in about:config, type 'redir' in search box. The string: extensions.torbutton.google_redir_url will have a value like 5 (which is default for DuckDuckGo in mine). Below this string are the other search engines w/ the numeric url values shown for each. You can change the value from 5 (or what ever it shows) to a numeric value corresponding to other search engines. Mine shows the value '1' for Ixquick, etc.: extensions.torbutton.redir_url.1 https://www.ixquick.com/do/metasearch.pl?query= ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Browser Bundle
On 11/3/2011 8:46 PM, and...@torproject.org wrote: On Thu, Nov 03, 2011 at 01:30:00AM -0400, zzretro...@email2me.net wrote 4.2K bytes in 100 lines about: : Any reason for this? Even after I unchecked enable globally I started to surf : and then noticed a different icon on the top of the window of Aurora where it : now shows an icon for 'Tor enabled and 'NoScript'. The current draft of the TBB design document is here, https://www.torproject.org/projects/torbrowser/design/ It should help explain the choices made in TBB so far. Feedback is welcome. I can't imagine cookies or Javascript being enabled globally. I won't leave those default settings. Cookies from regular old web sites aren't necessarily the benign little files a web site places on your computer to enhance the use of our site, that they used to be. Maybe need to read up on what little old cookies from avg sites can do now. Having them enabled globally - in Tor or regular Firefox - doesn't seem like a good idea. Nor does having Javascript globally enabled. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Don't use Google as default search in Tor Browser?
On 11/6/2011 2:05 PM, Julian Yon wrote: Personally I use DDG, partly because of privacy concerns and partly because I don't like the new-look Google. You can always do a Google search through DDG or Scroogle if you're feeling paranoid. On topic, I'd prefer DDG or Ixquick as the default search in TBB but we can't all have our preferences included. Julian I don't think Tor Project is going to make DDG or Ixquick the default search engine any more than Mozilla.org is. As you know, users can easily change their default search engine in Aurora (or Firefox) through manage search engines. Can also add others or delete some included by default. For any users that don't know how, there are tons of pages w/ detailed instructions (it's very easy). Just search for add [or delete] search engine +Firefox ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Browser Bundle
On 11/7/2011 10:24 PM, Andrew Lewman wrote: The default tbb config does block 3rd party cookies, and clears all cookies on shutdown. Unless you've told torbutton to preserve some cookies, they're wiped. Point of symantics: Not the correct word - wiped. They are simply insecurely deleted, just like deleting any other file from windows explorer. Wiped implies securely erased. I know you know the difference, but don't want new users to think Tor / TBB securely erases data it deletes. More later on a way I thought of to securely del * ALL * TBB data after a session. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Aurora tab loading status
Since Firefox took any meaningful tab / page loading progress bar or indicator of any kind out, several versions ago, I rely on addons in Firefox to give some indication of how fast how much is left to load. If a page is slow / hung, I just cancel. Can't tell that in stock Aurora. Swirling dots don't tell anything. Does anyone else use addon like Tab Mix Plus (that has tab loading progress options), or Status-4-Evar, etc? https://addons.mozilla.org/en-US/firefox/addon/status-4-evar/ There's so much about Firefox thus Aurora, that is almost a necessity, IMO - esp. if using slower Tor network. Not just tab progress bars. On one hand, I don't want to load up Aurora w/ all kinds of addons that may interfere w/ Aurora's primary function. On the other, unless just going to one or 2 sites staying there, using stock Aurora is irritating at best, when comes to knowing how page loading is progressing. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] torifying TB
On 11/20/2011 7:21 PM, eliaz wrote: Following the instructions in the Configure Thunderbird to work through Tor help file. I've successfully set up tormail in Thunderbird. However, I don't know what the No Proxy for field on the TB Network Disk Space Settings tab is supposed to mean. Whether I leave Localhost, 127.0.0.1 (as shown in the screen grab in the help file) or delete it altogether, the configured mail seems to work as well. Can some one fill me in on this? Is the field irrelevant to the manual proxy configuration? Apologies for a newbie question, thanks eli All I've ever seen automatic settings that Torbutton sets up in Firefox is like you said, the No Proxy for is left at default Localhost, 127.0.0.1 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] copying old profile to new Aurora not working
I upgraded to latest TBB 2.2.34-3 in Vista. I usually copy my profile from previous version of TBB / Aurora into new version, so as not to have to redo some custom settings or reinstall a few extensions I have in TBB. This time, after copying the profile from older TBB replacing the default profile in 2.2.34-3 (in path E:\Temp\Tor Browser\TBB 2.2.34-3\Tor Browser\FirefoxPortable\Data\profile), none of the extensions show up as installed when launching TBB. Copying was done w/ all TBB versions closed. I've never had a problem before copying or restoring a previous profile into a newer version of Aurora (or Firefox), where all the extensions didn't even show up in the Addons Mgr of new version. But the extensions that don't show as installed in latest TBB Addons Mgr - when it starts, ARE listed in the proper place in Explorer - as in the previous TBB version. So, the extensions ARE in the profile\extensions folder, they just aren't showing up in Addons Mgr / Extensions in TBB 2.2.34-3. Any suggestions? Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] copying old profile to new Aurora not working
On 11/29/2011 3:12 PM, Joe Btfsplk wrote: 1st, I guess some default settings in Aurora are actually stored in prefs.js (as in USER set prefs)? If so, meaning the user prefs file isn't only user prefs - it has prefs set by Aurora devs? Re: shooting myself in the foot. Maybe there's an issue w/ the prefs.js file - as mentioned - by copying the old prefs.js file into the new Aurora, which would be a valid concern. There may be a good reason to extract newer versions the way you suggest because of prefs changes, but answering your question, most prefs I want to preserve are ones made by extensions. I also don't use NoScript default settings, exactly as they come in Aurora. There could be a white list of sites in NoScript, (for ex.), which might get wiped out if I just extract the new TBB over old one??? A few other similar situations. This is an issue for me because stock Aurora doesn't block ads, or web trackers, block referrer headers or a # of other things. I'm willing to try it your way, if it's not going to wipe out all extensions prefs / settings. Ignoring the prefs issue you mentioned for the moment, I still don't see why copying the old profile into the new TBB profile folder shouldn't work (has in the past). Again, maybe it's not a good idea because of what you mentioned. I take it you're saying if users extract a new TBB into the earlier TBB version's folder, it WON'T wipe out extensions, their prefs, search plugins, etc., that you've already custom installed? I think what it'll do is completely replace the previous prefs.js w/ all custom settings from extension. If it overwrites any extensions' prefs, they'd have to be uninstalled / reinstalled. But, as far as copying / restoring an older profile into a new Firefox (or just setting an older profile as default to use in new FF ver), that is an acceptable practice - even w/ Mozilla KBs how to do it (ignoring for the moment any issue w/ Aurora's prefs.js file). It may be easier to allow a new ver to overwrite the old program files (assuming it doesn't mess them up as it sometimes does). Since Aurora is just extracting vs installing, I didn't know how it would affect extensions, plugins (and user prefs) that were already installed in the previous TBB version. An upgrade of Firefox automatically uses the old profile (even if installed to new folder), unless told otherwise. It doesn't (normally) even touch the old profile. In Firefox, it's easy just to tell it which profile (an older one) to use. In Aurora, the profile is self contained w/ prgm files. Thanks. On 11/29/2011 2:09 PM, Mike Perry wrote: You're still doing it wrong, man. As I said the last time you shot yourself in the foot doing this copying the wrong way (https://lists.torproject.org/pipermail/tor-talk/2011-October/021772.html): I would recommend just overwriting your old TBB dir with the new data. Sometimes we change prefs+create new ones, which could cause bugs for you when you copy old-over-new. If there are a lot of prefs you need to change, you (or we) might also be doing it wrong. Might I ask which ones you need to keep? Mike, I tried extracting the newer TBB 2.2.34-3 into the folder of the older version. It didn't wipe out extensions completely, but as I expected, it over wrote all the extensions' preferences stored in prefs.js. So, all would need setting their preferences again. On some, this is a requirement - not personal choice. You must set the prefs - often from a home page, before using the extensions. Not sure what all prefs the TBB devs are putting in the prefs.js file, but I don't really want to reconfigure my / the extensions' prefs every few weeks, as Mozilla releases new versions, leading to new TBB versions. I'm not sure why in NoScript, scripts are allowed globally by default or accept cookies for all sites would be enabled by default, but those a few customizations in the browser are * some * other prefs I want to save. Also don't want to look at ads / waste bandwidth w/ Tor or have trackers following me around, websites tracking me from one to another, which is why I install the extensions. I guess TBB devs never expected anyone to use extensions other than the ones they install in Aurora. It may be a standoff between needs of developers a great deal of inconvenience, reconfiguring extensions after every TBB release. Seems maybe there needs to be another file to control the users' actual prefs one for TBB devs' prefs to control Aurora to preserve anonymity / make it work correctly. BTW, copying an old profile into new TBB profile folder does work, if you don't accidentally copy it to wrong folder. That doesn't solve the issue Mike brought up earlier about developers changes being made in the prefs.js file. ___ tor-talk mailing list tor-talk@lists.torproject.org https
Re: [tor-talk] If you have access to certain tools, you can completely ignore Tor.
On 12/18/2011 5:33 PM, Matthew R wrote: From: http://www.wired.com/vanish/2009/09/interview-with-pi-steve-rambam-evan-can-be-found/ Wired: How much can one do with IP addresses that have been run through Tor? SR: If you have access to certain tools, you can completely ignore Tor. You can trap your subject’s IP address without wasting your time busting through Tor. Without revealing too many tricks, for example, it’s easy enough to send someone an e-mail that broadcasts location info back to a server. Someone operating a trap website can grab Evan’s cookies and see his entire browser history and his current IP address. With only a minimal amount of work, you can determine where Evan is viewing a website from. Does this make any sense? I assume that what the PI means is that if you send an e-mail to a non-webmail client (like Thunderbird) which does not go via Tor, then the IP can be determined when it loads the 1x1 HTML pixel from the website. However, if the victim uses webmail then surely all responses would go via Tor? Or does he mean something else? I didn't read the entire article yet, but have read of some similar claims like Someone operating a trap website can grab Evan’s cookies and see his entire browser history Even if partly true, this is one reason I don't understand why TBB has default settings to allow all cookies, seeing as how its main goal is anonymity. Devs are very concerned about not writing anything to cache, but not concerned about cookies. Tor wasn't developed for constant, everyday use by millions w/ the idea that anonymity could be provided for the masses. It probably never will achieve that. Authorities hackers will always be looking for holes. People much smarter than me say if you're that concerned about true anonymity, you'd better encrypt everything. Cookies browsing history are another matter. Under current US other nations' laws, it's possible that gov'ts have already forced developers of any software - incl. Tor - to put in backdoors. And in fact, say it's illegal for the devs of any software to outright disclose such. In general, most gov'ts aren't going to allow devising ways that criminals can easily completely avoid detection. (No, Tor isn't only used by criminals - but gov'ts don't care). And if they determine such software / networks could provide 99.9% anonymity, w/ no way for them to crack it or no backdoors, they'd probably outlaw it. I don't know that it has happened w/ Tor, but it certainly has in other cases. If you want true anonymity, don't use the internet, unless you're very well educated in all things related to internet anonymity (hard for one person to do), and taking extreme, well founded measures to thwart those seeking to identify you or your location, gather info, etc. Plus, it would be a full time job constantly testing your methods keeping up w/ newest ways others could crack your system. A handful of people might have the ability ( almost none the time) to do this. if you send an e-mail to a non-webmail client (like Thunderbird) which does not go via Tor, then the IP can be determined when it loads the 1x1 HTML pixel from the website Could you clarify the question? As Phillip mentioned, Tbird can be Torrified, but I've never been impressed or convinced that the methods are fool proof by any means. Web beacons (web bugs) can be stopped in a few ways, that is probably more reliable than any overall anonymity on the web. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] If you have access to certain tools, you can completely ignore Tor.
On 12/24/2011 4:09 AM, grarpamp wrote: to put one in someday, we'll make it obvious and loud that it is so. No Backdoors. No bugdoors. No so-called lawful interception systems. Court orders and duress can be applied to anyone who is reachable by them. The only real solution should that happen is to take things underground on Tor, or any other strong net, and remain open source therein. It is unfortunate in this regard that the current systems employ known authors. But new unknowns will step in place of the old if need be. Good point. I think you're right. They may have to go WAY underground. Everyone knows several countries have already outlawed Tor other internet uses / sites. Julian Assange was way to visible to carry out his mission, whether one agrees w/ his agenda or not. If gov'ts can't stop persons / organizations they deem embarrassing or threats because of free speech rights, they'll invent other charges against them. Again, I just can't see many gov'ts leaving Tor alone, when (unfortunately) it * presumably *allows combatant enemies to easily communicate anonymously. Democratic nations may not ban it, but they have to protect their national security they won't sit idly by while terrorist groups thumb their noses at security agencies. It's unfortunate that the use of Tor for true, non-violent free speech access to info it's use for more sinister purposes get mixed together. It was once unthinkable that US other free countries would listen in on potentially all citizens' conversations or read private mail (electronic or paper) w/o court warrants, but it's here so far, people pretty much accept it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] need help with the Lasy version of the Tor Browser
On 1/3/2012 8:51 AM, Андрей Перовский wrote: Hello Everybody! I need you help very much. The last version of the Tor Browser is standing on @relaing the network status@ wile loading. In what the problem could be. Have you got any suggestions? ___ Could you clarify the question problems you are having? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Anonymity HTTPS Everywhere Observatory
Have any recommendations from Tor Project been issued regarding the new? options in HTTPS Everywhere to use their SSL Observatory, where certain info is transmitted to them? Now there's one more item for TBB users to make a decision about that could compromise anonymity. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] 2 questions on HTTPS Everywhere settings
What are others' opinions of these setting in NoScript in TBB (latest TBB 2.2.35-4)? 1) In Options HTTPSBehavior, the forbid active web content unless comes from an HTTPS connection. Default is never, but there is a choice of when using proxy (recommended w/ Tor). What are some lesser known issues of keeping the Never default setting? What ALL active web content is it allowing by default setting of Never forbid? What are some of *desirable* sites or content that could break if set it to when using a proxy ? That could vary depending on a user's geographical location. 2) Under General tab, default is scripts globally allowed. I suppose Tor devs chose to leave this as default, as many sites won't work well w/o JS. But, to allow scripts globally - in an anonymity software like Tor? No mention, AFAIK, in Tor documentation of what things users should consider about various settings in NoScript. NoScript has many other security functions besides allowing / disallowing scripts, that most users know little about. Yes, you can white list sites you want to allow, then disable allow globally, but you'd better back that list up regularly because of frequent TBB releases any NoScript updates. Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Anonymity HTTPS Everywhere Observatory
Well, when I installed TBB 2.2.35-4, the HTTPS Everywhere version is 2.0 dev 4. Possibly the version updated along w/ any other extensions, on 1st start of TBB 2.2.35-4? But, that's what I have I'd never seen the pop up about the Observatory before now. On 1/7/2012 11:46 AM, and...@torproject.org wrote: On Sat, Jan 07, 2012 at 11:11:13AM -0600, joebtfs...@gmx.com wrote 0.4K bytes in 10 lines about: : Have any recommendations from Tor Project been issued regarding the : new? options in HTTPS Everywhere to use their SSL Observatory, : where certain info is transmitted to them? Nothing official yet. We ship HTTPS Everywhere 1.2.1 which does not include the SSL Observatory code. The HTTPS Observatory code is in 2.0developmentx releases, see https://www.eff.org/files/Changelog.txt. Currently, when installing the 2.0developmentx release, the first prompt, after installation and restart of firefox, is to decide if you want to opt-in to the SSL Observatory collection (which does transmit via tor). The default is opt-out. If you are reading this and confused, start here, https://www.eff.org/observatory ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google as default search engine revisited
On 1/10/2012 10:26 AM, 5...@gmx.de wrote: I found a thread in the archive (November 2011), but I could not find a satisfying answer to the questions 1. Why is Google the default search engine in the TOR browser bundle? 2. Does TOR get money from Google a) for using Google as the default search engine? b) in general? Re: Get $. Probably. Just like a lot of other free software get funding from installing search engines or toolbars. But no one has to use Google search or even keep their search engine plugin installed (in TBB, Firefox, etc.). Just install use the other privacy respectful search engines. Non-Profit orgs have to get funds from somewhere. Some don't like Mozilla's business deals w/ Google - others don't care or even know there IS a relationship. A lot of people don't like Google, in general, because of their past privacy invasions (some of which they still do, per Privacy Policy). Many obviously don't care. Bottom line: in any business, if people don't like a certain company or product want other competing companies to succeed, that conduct their business in ways that's more palatable to the customer, then customers must support / use those other, often smaller companies. Else, there won't be much competition to choose from. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Google as default search engine revisited
On 1/10/2012 2:02 PM, Curious Kid wrote: Insinuating that Tor is adware and that the Tor Project is being compensated for delivering user data is outrageous. There's been a recent increase in FUD (because of the SOPA vote?), but this is pretty over the top. 1st, there's no such thing as a free lunch. Adware isn't the same as getting funding for including something that can easily be (1) avoided totally by users, or (2) removed completely from the software by users. Or, if including a search engine in browsers makes them adware, then most browsers are adware, by that definition. In TBB other browsers, users have complete control whether to use any search engine or not. I personally don't like Google, but I'm not forced to use it in Tor nor Firefox. I have NO idea if Tor Project is bound by any legal ? requirements to leave Google's search engine in Aurora, since they are just using Firefox modifying it. Others can correct me, but I'm guessing that IF users follow directions of using TBB, the data that Google searches would be able to mine is not the same as if using stock Firefox, IE, etc. They certainly wouldn't get your real IP address, therefore not be able to tie searches (say, under court order - or lack there of) to users' real IP account / name. Again, if users don't like Google, just don't use it in Tor or anywhere else. It won't make you any safer, but if you wish, del the Google search engine plugin, completely. That'll fix 'em! :D In latest Windows TBB, google search plugin is located: \Tor Browser\FirefoxPortable\App\Firefox\searchplugins ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does the new browser know where to find old bookmarks?
You'll have to import them into Aurora from Firefox (or any other) by using the Import Backup from bookmarks library. Either use Import from HTML, if coming from another FF version, or Import from another browser. On 2/2/2012 6:53 AM, M Robinson wrote: Hello, I just upgraded the Tor bundle, I unzipped it into a different folder than the last bundle, but when I tried to import old bookmarks it opened to the location of the previous version's exported bookmarks, which were not saved in a default location. How does the new browser remember where the old browser saved the bookmarks? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Do You Like Online Privacy? You May Be a Terrorist
On 2/2/2012 11:15 AM, Eugen Leitl wrote: http://publicintelligence.net/do-you-like-online-privacy-you-may-be-a-terrorist/ Do You Like Online Privacy? You May Be a Terrorist February 1, 2012 in Featured Public Intelligence A flyer designed by the FBI and the Department of Justice to promote suspicious activity reporting in internet cafes lists basic tools used for online privacy as potential signs of terrorist activity. The document, part of a program called “Communities Against Terrorism”, lists the use of “anonymizers, portals, or other means to shield IP address” as a sign that a person could be engaged in or supporting terrorist activity. The use of encryption is also listed as a suspicious activity along with steganography, the practice of using “software to hide encrypted data in digital photos” or other media. In fact, the flyer recommends that anyone “overly concerned about privacy” or attempting to “shield the screen from view of others” should be considered suspicious and potentially engaged in terrorist activities. Logging into an account associated with a residential internet service provider (such as Comcast or AOL), an activity that could simply indicate that you are on a trip, is also considered a suspicious activity. Viewing any content related to “military tactics” including manuals or “revolutionary literature” is also considered a potential indicator of terrorist activity. This would mean that viewing a number of websites, including the one you are on right now, could be construed by a hapless employee as an highly suspicious activity potentially linking you to terrorism. The “Potential Indicators of Terrorist Activities” contained in the flyer are not to be construed alone as a sign of terrorist activity and the document notes that “just because someone’s speech, actions, beliefs, appearance, or way of life is different; it does not mean that he or she is suspicious.” However, many of the activities described in the document are basic practices of any individual concerned with security or privacy online. The use of PGP, VPNs, Tor or any of the many other technologies for anonymity and privacy online are directly targeted by the flyer, which is distributed to businesses in an effort to promote the reporting of these activities. ___ O - M - G! I better cancel my tor-talk list acct now sign up again using Tor. We should all create use anonymous email accts, created using Tor only access them anonymously. This could turn into a McCarthy Era fiasco. :-O . I'm being sarcastic, but only partly. Anyone that doesn't think users accessing 1000's of sites lists that deal w/ some of mentioned subjects in OP's quote are being watched (at least, electronically) probably has their head in the sand. Gov'ts have been doing this since WWII - very probably before that. You don't have research very far to verify that. Whether you get interrogated or dragged off in the middle of the night probably depends on your country, sites you visit what you actually say. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to use Tor Browser without TBB Bundle?
On 2/7/2012 2:28 PM, Phillip wrote: Thanks for the link C, I did what it suggested vis modifying the start-tor-browser script, but it ends up just launching another window of Firefox and not Aurora... Try adding option -no-remote to Firefox, it should start new process instead of connecting to an already running instance. Ondrej ___ Heyya Ondrej! Thanks for the reply! Quick (possibly slightly stupid) question - the -no-remote option, do I add that to the start-tor-browser script? And if so, where? Don't know about a script. Normally, if you want to run more than one version of Firefox (or maybe Aurora), you add the - no-remote command after the Target box string (command path), that is found by R clicking the start icon Properties. As an example, for Firefox icon, you'd see something like: D:\ProgramFiles (x86)\Mozilla\Firefox 9\firefox.exe This is the path where the executable file is installed (or in Aurora's case, extracted [not installed] ). NOTE: the quote marks are necessary. So adding the -no-remote command would result in something like: D:\ProgramFiles (x86)\Mozilla\Firefox 9\firefox.exe -no-remote note: in the example above, there is a space after ...firefox.exe and the -no-remote command. Type it just as shown (substituting the path where the 2nd instance (version) of AURORA you want to run is located). IOW, put a space between the quote mark after firefox (aurora) and the 1st hyphen, in front of -no-remote If you were using this in a script, I suppose the use of -no-remote would be the same as described. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to use Tor Browser without TBB Bundle?
On 2/8/2012 11:29 AM, The Doctor wrote: Don't know about a script. Normally, if you want to run more than one I think he means start-tor-browser (shell script on my box, probably a batch file on Windows). If you were using this in a script, I suppose the use of -no-remote would be the same as described. I got it to work reliably under similar circumstances this way: ./App/Firefox/firefox -no-remote -profile ./Data/profile In circumstances where multiple Firefox profiles are in use, specifying the particular profile used with TBB seems to work more reliably. Yes, that's what I meant. (example from an old desktop icon): G:\Program Files\TBB 2.2.35-3\Tor Browser\Start Tor Browser.exe -no-remote I think we're talking about same thing. Unless you change the TBB profile location, each extracted version (or different instances of same version) uses the profile in that instance's program folder, unless you specify another - as you indicated. If using the default profile in default location, don't have to specify the profile name (I'm sure most know that - just clarifying). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk